Re: Frame embedding: One problem, three possible specs?

My sense from talking with folks is that there isn't a lot of
enthusiasm for supporting this use case in CSP at the present time.
We're trying to concentrate on a core set of directives for the first
iteration.  If it helps reduce complexity, you might consider dropping
option (1) for the time being.

Adam


On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler <tlr@w3.org> wrote:
> (Warning, this is cross-posted widely. One of the lists is the IETF websec mailing list, to which the IETF NOTE WELL applies: http://www.ietf.org/about/note-well.html)
>
>
> Folks,
>
> there appear to be at least three possible specifications addressing this space, with similar but different designs:
>
> 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Options and express those in CSP:
>  http://www.w3.org/2011/07/appsecwg-charter.html
>
> (We expect that this charter might go to the W3C AC for review as soon as next week.)
>
> 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") currently considered for publication as an FPWD in the Webapps WG:
>  http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.html
>
> This draft mentions integration into CSP as a possible path forward.
>
> 3. draft-gondrom-frame-options, an individual I-D mentioned to websec:
>  https://datatracker.ietf.org/doc/draft-gondrom-frame-options/
>  http://www.ietf.org/mail-archive/web/websec/current/msg00388.html
>
>
> How do we go about it?  One path forward might be to just proceed as currently planned and coordinate when webappsec starts working.
>
> Another path forward might be to see whether we can agree now on what forum to take these things forward in (and what the coordination dance might look like).
>
> Thoughts welcome.
>
> Regards,
> --
> Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)
>
>
>
>

Received on Thursday, 7 July 2011 22:24:44 UTC