Re: CORS/UMP to become joint WebApps and WebAppSec joint deliverable

On Aug 3, 2011, at 10:21 , Anne van Kesteren wrote:

> On Tue, 02 Aug 2011 14:37:31 +0200, Arthur Barstow <> wrote:
>> The From-Origin spec is WebApps'; it is _not_ a joint deliverable with the proposed WebAppSec WG.
> I assumed it was because of "Secure Cross-Domain Framing" and the significant overlap.

It's certainly in scope for that group, though it's not obvious that from-origin is the approach that group would want to take.

In this particular case, the question isn't so much what deliverable is in what WG, but rather what the relationship is going to be with x-frame-options (draft under development at the IETF), a possible CSP based approach, and things like the timing-allow-from header.  The rest will eventually follow from that.

Sounds like a good discussion for TPAC to me.

Received on Wednesday, 3 August 2011 10:58:47 UTC