- From: Mike West <notifications@github.com>
- Date: Mon, 21 May 2018 11:19:47 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 21 May 2018 18:20:17 UTC
> It makes sense to make this header value consistent with other similar mechanisms. I believe a list of origins is allowed in CSP frame ancestors. That's correct. Some browsers support a similar `ALLOW-FROM` mechanism in `X-Frame-Options` as well. > If that is used in the wild, it makes sense to support multiple origins in this new header as well. I wouldn't tie the (non)sensicalness of granular control to `frame-ancestor` usage, but allow it to stand on its own. We have some fairly concrete claims from Google's application folks in this thread and elsewhere on Twitter that it would be hard to deploy `From-Origin` without such granularity. I'd suggest that it adds only marginal implementation complexity over and above `same` and `same-origin`, and seems to be well worth the tradeoff against deployment complexity. > Conversely, we might envision supporting same-site in CSP frame ancestors. Some sort of alignment here seems like a reasonable idea; it does seem like a useful addition, though I'm not sure how to add it in a backwards-compatible way. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-390738716
Received on Monday, 21 May 2018 18:20:17 UTC