- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 7 Jul 2011 15:23:45 -0700
- To: Thomas Roessler <tlr@w3.org>
- Cc: Tobias Gondrom <tobias.gondrom@gondrom.org>, Arthur Barstow <art.barstow@nokia.com>, Brad Hill <bhill@paypal-inc.com>, Eric Rescorla <ekr@rtfm.com>, Alexey Melnikov <alexey.melnikov@isode.com>, David Ross <dross@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Adrian Bateman <adrianba@microsoft.com>, Brandon Sterne <bsterne@mozilla.com>, Charles McCathieNevile <chaals@opera.com>, Maciej Stachowiak <mjs@apple.com>, Peter Saint-Andre <stpeter@stpeter.im>, "Michael(tm) Smith" <mike@w3.org>, Mark Nottingham <mnot@mnot.net>, Jeff Hodges <jeff.hodges@paypal-inc.com>, public-web-security@w3.org, public-webapps@w3.org, websec@ietf.org
My sense from talking with folks is that there isn't a lot of enthusiasm for supporting this use case in CSP at the present time. We're trying to concentrate on a core set of directives for the first iteration. If it helps reduce complexity, you might consider dropping option (1) for the time being. Adam On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler <tlr@w3.org> wrote: > (Warning, this is cross-posted widely. One of the lists is the IETF websec mailing list, to which the IETF NOTE WELL applies: http://www.ietf.org/about/note-well.html) > > > Folks, > > there appear to be at least three possible specifications addressing this space, with similar but different designs: > > 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Options and express those in CSP: > http://www.w3.org/2011/07/appsecwg-charter.html > > (We expect that this charter might go to the W3C AC for review as soon as next week.) > > 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") currently considered for publication as an FPWD in the Webapps WG: > http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.html > > This draft mentions integration into CSP as a possible path forward. > > 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: > https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ > http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > > How do we go about it? One path forward might be to just proceed as currently planned and coordinate when webappsec starts working. > > Another path forward might be to see whether we can agree now on what forum to take these things forward in (and what the coordination dance might look like). > > Thoughts welcome. > > Regards, > -- > Thomas Roessler, W3C <tlr@w3.org> (@roessler) > > > >
Received on Thursday, 7 July 2011 22:24:44 UTC