- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 06 Jul 2011 11:59:55 +0200
- To: "Arthur Barstow" <art.barstow@nokia.com>, "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "WebApps WG" <public-webapps@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "Daniel Veditz" <dveditz@mozilla.com>
On Tue, 05 Jul 2011 17:50:57 +0200, Hill, Brad <bhill@paypal-inc.com> wrote: > I feel that the goals of this draft are either inconsistent with the > basic architecture of the web, cannot be meaningfully accomplished by > the proposed mechanism, or both, and I haven't seen any discussion of > these concerns yet. It would be helpful if you could articulate what exactly of http://www.w3.org/TR/webarch/ argues against having this feature. As for users disabling this feature in their user agent, that would of course be a problem and mean the feature would not work. How likely this is to happen is somewhat unclear to me. Sites wishing to prevent bandwidth theft can already do so via Referer header checking, which has the annoying side effect that sometimes not even direct linking towards such a resource works. And as for clickjacking, because of the design of the header as it stands now it can replace the non-standard X-Frame-Options. This does indeed not give fine-grained control, but you do not need that for all cases. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 6 July 2011 10:00:35 UTC