- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Fri, 01 Jul 2011 10:34:01 -0400
- To: ext Daniel Veditz <dveditz@mozilla.com>, Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>
- CC: WebApps WG <public-webapps@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
On 6/30/11 10:31 PM, ext Daniel Veditz wrote: > On 6/30/11 9:31 AM, Maciej Stachowiak wrote: >> On Jun 30, 2011, at 7:22 AM, Anne van Kesteren wrote: >>> (Added public-web-security because of the potential for doing >>> this in CSP instead. Though that would require a slight change >>> of scope for CSP, which I'm not sure is actually desirable.) >> I approve of publishing this as FWPD. >> >> I also don't think it makes sense to tie this to CSP. > Conceptually it's similar to the CSP frame-ancestors > directive--which we've decided doesn't fit in CSP either. Most of > CSP is "can load" while frame-ancestors was "can be loaded by". > We've proposed that the frame-ancestors functionality be moved into > an expanded/standardized X-Frame-Options mechanism, but a > standardized "From-Origin" would work just as well (better?). > > It may still make sense to put From-Origin in the WebSecurity > (not-quite) WG along with CORS rather than free floating in WebApps. > But I don't have strong feelings about that. I don't feel strongly about the charter issue either. (As I understand it, CORS will be a joint deliverable between WebApps WG and WebAppSec WG and as such, my expectation is that both WGs will participate in decisions such as "does the spec meet Last Call Working Draft requirements?".) > Mozilla would be > interested in implementing this feature regardless. This is good to read. Based on the feeback so far, I will start a CfC to publish a First Public Working Draft of Anne's spec. -Art Barstow [1] http://lists.w3.org/Archives/Public/www-tag/2011Jun/0192.html
Received on Friday, 1 July 2011 16:02:45 UTC