- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 10 Jun 2013 20:37:30 -0700
- To: Peleus Uhley <puhley@adobe.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> The primary concern with this issue is that it would > be a by-default information leak in the browser that > sites would have to take action to protect themselves > against it. Do we think that this risk merits a change > to the spec? Any additional ideas or concerns? I think this is the key concern: we are adding a whole new "default insecure" threat for legacy web applications who might have no idea what is happening in the world of webappsec. Instead, may I suggest that the UI security spec is only enforced if both the security principals in question have opted-in to trusting each other via an appropriate X-Frame-Options (or csp frame-options) and csp frame-src directive. If not enforcement, the reporting is only enforced if both principals opt-in ? I am not sure how practical this is (if at all) for the web applications the specification targets. regards Dev
Received on Tuesday, 11 June 2013 03:38:17 UTC