Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] from Tobias Gondrom on 2013-03-05 (public-webappsec@w3.org from March 2013)

From: Tobias Gondrom <tobias.gondrom@gondrom.org>
Date: Tue, 05 Mar 2013 17:05:19 +0800
To: public-webappsec@w3.org
Message-ID: <5135B54F.5010708@gondrom.org>

Hi all,
actually I can see no benefit to keep the "top-only" keyword.
IMHO exact compatibility is not required and in fact this deprecated
option can lead to insecure implementations.

So IMHO, I would suggest to rather not have "top-only".

Best regards, Tobias


On 05/03/13 13:41, Web Application Security Working Group Issue Tracker
wrote:
> webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]
>
> http://www.w3.org/2011/webappsec/track/issues/45
>
> Raised by: Brad Hill
> On product: UI Security
>
> The current UI Security draft specifies a 'top-only' keyword source for the frame-options directive to preserve exact compatibility with X-Frame-Options.
>
> This is actually a dangerous and mis-understood behavior:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=725490
>
> Is there a good reason to keep the 'top-only' behavior?
>
>
>

Received on Tuesday, 5 March 2013 09:05:50 UTC