- From: Tobias Gondrom <tobias.gondrom@gondrom.org>
- Date: Tue, 12 Mar 2013 22:05:46 +0800
- To: annevk@annevk.nl
- CC: imelven@mozilla.com, public-webappsec@w3.org
On 12/03/13 21:58, Anne van Kesteren wrote: > On Mon, Mar 11, 2013 at 5:31 PM, Ian Melven <imelven@mozilla.com> wrote: >> yes, this is the argument i have made in our bug on changing XFO. >> >> I also filed another Mozilla bug for implementing frame-options in CSP : >> https://bugzilla.mozilla.org/show_bug.cgi?id=846978 >> >> comments/feedback in either of those bugs are very welcome ! :) > If CSP supplants XFO it should document XFO and their mutual > interaction (and not just as a consideration, but just give the rules > implementations should follow). > > The plan is to have CSP as the sucessor for XFO. We currently document the "old" existing XFO practice as informational in websec http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02 But improvements going forward in the future are planned to be put into CSP 1.1. With this approach, I believe it should be sufficient if we just reference XFO from CSP1.1 after the XFO RFC has been released. Best regards, Tobias
Received on Tuesday, 12 March 2013 14:06:27 UTC