W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: Cross-Origin Resource Embedding Restrictions

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 01 Mar 2011 20:29:12 -0800
Message-ID: <4D6DC798.6010404@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>, Brandon Sterne <bsterne@mozilla.com>
On 3/1/11 12:26 AM, Adam Barth wrote:
> From-Origin is closely related to one of the proposed CSP
> features, namely frame-ancestors, which also controls how the
> given resource can be embedded in other documents:

Also similar to X-Frame-Options; I'd hate to end up with all three
mechanisms. I'd be happy(ish) to jettison frame-ancestors from CSP
if there's another competent header that can take up that use-case.
Mainly we wanted to fix X-Frame-Options (without introducing the
incompatibilities of "embrace and extend") but didn't want to invent
yet another header to do it.

Depending on how it's eventually spec'd the Origin header could
satisfy the same use-case with server-side enforcement. For that to
happen it'd have to be sent with every request; not sure it's
specified that way currently.

Personally I'm more optimistic about client-enforced mechanisms
because you only need five or so correct browser implementations,
not tens or hundreds of app framework implementations. Either way
the site authors have to correctly specify their policy, of course,
and that's a big concern.

-Dan Veditz
Received on Wednesday, 2 March 2011 04:30:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:16 UTC