- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 07 May 2018 11:57:15 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/687/387042254@github.com>
> make deployment of From-Origin more difficult if there is no way to limit From-Origin check to the document and not the whole ancestor chain. If all browsers ship process-isolation at the `<iframe>` boundary at some point this will also be a limitation of the feature that makes it harder for sites to use that want to be embedded as a widget. Perhaps we should consider a more complicated design: `same`/`same-with-ancestors`/`same-site`/`same-site-with-ancestors`. Or alternatively go back to the idea of requiring both `From-Origin` and `X-Frame-Options` to be specified. (If we include ancestor checking I think it should work identically to `X-Frame-Options`, including any referrer checks we may include there to avoid leaking the embedder. I think failing for `data:` URLs (and sandboxed `<iframe>`s without same-origin) is fine. Making that work while still keeping things secure seems quite complex. For service workers we could go through the ancestor chain of the clients that are currently active (I would expect this for dedicated and shared workers), but that would not be very deterministic. I guess that means that once you have a service worker you need to be careful about `X-Frame-Options`/`From-Origin` for resources that can be intercepted. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-387042254
Received on Monday, 7 May 2018 11:57:38 UTC