W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

From: Tobias Gondrom <tobias.gondrom@gondrom.org>
Date: Tue, 12 Mar 2013 22:05:46 +0800
Message-ID: <513F363A.9060805@gondrom.org>
To: annevk@annevk.nl
CC: imelven@mozilla.com, public-webappsec@w3.org
On 12/03/13 21:58, Anne van Kesteren wrote:
> On Mon, Mar 11, 2013 at 5:31 PM, Ian Melven <imelven@mozilla.com> wrote:
>> yes, this is the argument i have made in our bug on changing XFO.
>> I also filed another Mozilla bug for implementing frame-options in CSP :
>> https://bugzilla.mozilla.org/show_bug.cgi?id=846978
>> comments/feedback in either of those bugs are very welcome ! :)
> If CSP supplants XFO it should document XFO and their mutual
> interaction (and not just as a consideration, but just give the rules
> implementations should follow).
The plan is to have CSP as the sucessor for XFO.
We currently document the "old" existing XFO practice as informational
in websec

But improvements going forward in the future are planned to be put into
CSP 1.1.

With this approach, I believe it should be sufficient if we just
reference XFO from CSP1.1 after the XFO RFC has been released.

Best regards, Tobias
Received on Tuesday, 12 March 2013 14:06:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC