- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Tue, 26 Feb 2013 20:43:00 +0000
- To: David Ross <dross@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> > Earlier in the document we had effectively said, "If you understand UI Safety, > feel free to ignore X-FRAME-OPTIONs." But now we go on to say "If you > know about UI Safety but don't actually implement it, also feel free to ignore > X-FRAME-OPTIONS." I suppose that makes sense and is the simplest to > code, but it seems a little odd that you could specify both UI Safety and X- > FRAME-OPTIONS on a page and then have both completely ignored, > legitimately. > > David Ross > dross@microsoft.com > [Hill, Brad] David, thanks for the detailed feedback. I hope we can address much of it on the call, but this specific point probably deserves a bit more text here first. I don't actually think this is that unusual a scenario. Consider that PayPal might want to make a risk decision like: "Allow an iframed payment button here, but only if the UI Security heuristics are enforced. Otherwise, on legacy browsers, this should be blocked." If a browser using assistive technology is new enough to know about the UI Security heuristics, but chooses not to implement them because they're not meaningful or attacks are inherently prevented by the nature of the technology (e.g. with a screen reader) then it makes sense to ignore both directives. Requiring user agents with assistive technology to honor X-Frame-Options if they choose to ignore UI Security would have the effect of permanently excluding such users from this kind of content, even when there is no threat. -Brad
Received on Tuesday, 26 February 2013 20:43:30 UTC