- From: Ian Melven <imelven@mozilla.com>
- Date: Mon, 11 Mar 2013 10:31:10 -0700 (PDT)
- To: Tobias Gondrom <tobias.gondrom@gondrom.org>
- Cc: public-webappsec@w3.org
yes, this is the argument i have made in our bug on changing XFO. I also filed another Mozilla bug for implementing frame-options in CSP : https://bugzilla.mozilla.org/show_bug.cgi?id=846978 comments/feedback in either of those bugs are very welcome ! :) thanks, ian ----- Original Message ----- From: "Tobias Gondrom" <tobias.gondrom@gondrom.org> To: public-webappsec@w3.org Sent: Sunday, March 10, 2013 9:05:52 PM Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] Current approach is to only document XFO (as an RFC) and put all future improvements as FO in the future CSP1.1. So to now start updating/amending XFO would not make sense. And updates/improvements should go into the future FO in CSP1.1. Tobias On 09/03/13 08:06, Ian Melven wrote: > Yes, I would also suggest to not have top-only. > > See https://bugzilla.mozilla.org/show_bug.cgi?id=725490 where folks would like to see > Firefox adopt non-spec-compliant behavior for X-Frame-Options, breaking the 'top-only' case > for existing sites (assuming anyone is using XFO this way and expecting it to only check the top level window). > > Their argument is that it's better to contradict the (now deprecated) XFO spec now because many sites have implemented XFO > compared to CSP [1] and these sites aren't bring protected in the way they're expecting. > > I'm on the fence about changing XFO, but I don't see why we need to preserve compatibility here for frame-options. > I'm open to being convinced as always though. > > thanks, > ian > > > > > ----- Original Message ----- > From: "Tobias Gondrom" <tobias.gondrom@gondrom.org> > To: public-webappsec@w3.org > Sent: Tuesday, March 5, 2013 1:05:19 AM > Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] > > Hi all, > actually I can see no benefit to keep the "top-only" keyword. > IMHO exact compatibility is not required and in fact this deprecated > option can lead to insecure implementations. > > So IMHO, I would suggest to rather not have "top-only". > > Best regards, Tobias > > > On 05/03/13 13:41, Web Application Security Working Group Issue Tracker > wrote: >> webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] >> >> http://www.w3.org/2011/webappsec/track/issues/45 >> >> Raised by: Brad Hill >> On product: UI Security >> >> The current UI Security draft specifies a 'top-only' keyword source for the frame-options directive to preserve exact compatibility with X-Frame-Options. >> >> This is actually a dangerous and mis-understood behavior: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=725490 >> >> Is there a good reason to keep the 'top-only' behavior? >> >> >> > >
Received on Monday, 11 March 2013 17:31:38 UTC