W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: Publishing From-Origin Proposal as FPWD

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 06 Jul 2011 11:59:55 +0200
To: "Arthur Barstow" <art.barstow@nokia.com>, "Hill, Brad" <bhill@paypal-inc.com>
Cc: "WebApps WG" <public-webapps@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "Daniel Veditz" <dveditz@mozilla.com>
Message-ID: <op.vx6zd5s764w2qv@annevk-macbookpro.local>
On Tue, 05 Jul 2011 17:50:57 +0200, Hill, Brad <bhill@paypal-inc.com>  
> I feel that the goals of this draft are either inconsistent with the  
> basic architecture of the web, cannot be meaningfully accomplished by  
> the proposed mechanism, or both, and I haven't seen any discussion of  
> these concerns yet.

It would be helpful if you could articulate what exactly of  
http://www.w3.org/TR/webarch/ argues against having this feature.

As for users disabling this feature in their user agent, that would of  
course be a problem and mean the feature would not work. How likely this  
is to happen is somewhat unclear to me. Sites wishing to prevent bandwidth  
theft can already do so via Referer header checking, which has the  
annoying side effect that sometimes not even direct linking towards such a  
resource works.

And as for clickjacking, because of the design of the header as it stands  
now it can replace the non-standard X-Frame-Options. This does indeed not  
give fine-grained control, but you do not need that for all cases.

Anne van Kesteren
Received on Wednesday, 6 July 2011 10:00:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:22 UTC