What's the rationale for the restriction? I don't see the threat of increased granularity at first glance. Any why not reduced granularity? `frame-ancestors https:` seems like a reasonable thing for a page to ask for. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Aug 28, 2014 at 7:05 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > I vote for accepting only a list of host-sources and failing closed if > a source-list is given. I am worried that silently discarding > extra path information might give devs a false sense of security. > > On 27 August 2014 08:53, Hill, Brad <bhill@paypal.com> wrote: > > One final last call comment if it’s not too late… > > > > > > > > The directive-value ABNF for frame-ancestors is just listed as > > “source-list”. > > > > > > > > The previous ABNF when it was in the UISecurity spec, and previous > > X-Frame-Options behavior, should only accept a list of host-sources, or > > should discard any extra path information and use only the Origin. This > is > > not reflected in current spec text. > > > > > > > > -Brad > >
Received on Monday, 1 September 2014 13:52:40 UTC