- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 30 Jun 2011 19:31:53 -0700
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
On 6/30/11 9:31 AM, Maciej Stachowiak wrote: > > On Jun 30, 2011, at 7:22 AM, Anne van Kesteren wrote: >> (Added public-web-security because of the potential for doing >> this in CSP instead. Though that would require a slight change >> of scope for CSP, which I'm not sure is actually desirable.) > > I approve of publishing this as FWPD. > > I also don't think it makes sense to tie this to CSP. Conceptually it's similar to the CSP frame-ancestors directive--which we've decided doesn't fit in CSP either. Most of CSP is "can load" while frame-ancestors was "can be loaded by". We've proposed that the frame-ancestors functionality be moved into an expanded/standardized X-Frame-Options mechanism, but a standardized "From-Origin" would work just as well (better?). It may still make sense to put From-Origin in the WebSecurity (not-quite) WG along with CORS rather than free floating in WebApps. But I don't have strong feelings about that. Mozilla would be interested in implementing this feature regardless. -Dan Veditz
Received on Friday, 1 July 2011 02:32:29 UTC