- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 01 Mar 2011 20:29:12 -0800
- To: Adam Barth <w3c@adambarth.com>
- CC: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>, Brandon Sterne <bsterne@mozilla.com>
On 3/1/11 12:26 AM, Adam Barth wrote: > From-Origin is closely related to one of the proposed CSP > features, namely frame-ancestors, which also controls how the > given resource can be embedded in other documents: Also similar to X-Frame-Options; I'd hate to end up with all three mechanisms. I'd be happy(ish) to jettison frame-ancestors from CSP if there's another competent header that can take up that use-case. Mainly we wanted to fix X-Frame-Options (without introducing the incompatibilities of "embrace and extend") but didn't want to invent yet another header to do it. Depending on how it's eventually spec'd the Origin header could satisfy the same use-case with server-side enforcement. For that to happen it'd have to be sent with every request; not sure it's specified that way currently. Personally I'm more optimistic about client-enforced mechanisms because you only need five or so correct browser implementations, not tens or hundreds of app framework implementations. Either way the site authors have to correctly specify their policy, of course, and that's a big concern. -Dan Veditz
Received on Wednesday, 2 March 2011 04:30:23 UTC