On Mon, Jun 10, 2013 at 8:37 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote: > > The primary concern with this issue is that it would > > be a by-default information leak in the browser that > > sites would have to take action to protect themselves > > against it. Do we think that this risk merits a change > > to the spec? Any additional ideas or concerns? > > I think this is the key concern: we are adding a whole new "default > insecure" threat for legacy web applications who might have no idea > what is happening in the world of webappsec. Instead, may I suggest > that the UI security spec is only enforced if both the security > principals in question have opted-in to trusting each other via an > appropriate X-Frame-Options (or csp frame-options) and csp frame-src > directive. If not enforcement, the reporting is only enforced if both > principals opt-in ? > If so then attacker.com will happily not opt-in and the defense would never be enabled :( > I am not sure how practical this is (if at all) for the web > applications the specification targets. > > regards > Dev > >
Received on Tuesday, 11 June 2013 04:09:23 UTC