- From: Ian Melven <imelven@mozilla.com>
- Date: Fri, 8 Mar 2013 16:14:12 -0800 (PST)
- To: public-webappsec@w3.org
oops, i forgot : [1] http://www.veracode.com/blog/2012/11/security-headers-report/ sorry ! ian ----- Original Message ----- From: "Ian Melven" <imelven@mozilla.com> To: public-webappsec@w3.org Sent: Friday, March 8, 2013 4:06:42 PM Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] Yes, I would also suggest to not have top-only. See https://bugzilla.mozilla.org/show_bug.cgi?id=725490 where folks would like to see Firefox adopt non-spec-compliant behavior for X-Frame-Options, breaking the 'top-only' case for existing sites (assuming anyone is using XFO this way and expecting it to only check the top level window). Their argument is that it's better to contradict the (now deprecated) XFO spec now because many sites have implemented XFO compared to CSP [1] and these sites aren't bring protected in the way they're expecting. I'm on the fence about changing XFO, but I don't see why we need to preserve compatibility here for frame-options. I'm open to being convinced as always though. thanks, ian ----- Original Message ----- From: "Tobias Gondrom" <tobias.gondrom@gondrom.org> To: public-webappsec@w3.org Sent: Tuesday, March 5, 2013 1:05:19 AM Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] Hi all, actually I can see no benefit to keep the "top-only" keyword. IMHO exact compatibility is not required and in fact this deprecated option can lead to insecure implementations. So IMHO, I would suggest to rather not have "top-only". Best regards, Tobias On 05/03/13 13:41, Web Application Security Working Group Issue Tracker wrote: > webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] > > http://www.w3.org/2011/webappsec/track/issues/45 > > Raised by: Brad Hill > On product: UI Security > > The current UI Security draft specifies a 'top-only' keyword source for the frame-options directive to preserve exact compatibility with X-Frame-Options. > > This is actually a dangerous and mis-understood behavior: > > https://bugzilla.mozilla.org/show_bug.cgi?id=725490 > > Is there a good reason to keep the 'top-only' behavior? > > >
Received on Saturday, 9 March 2013 00:14:43 UTC