Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

On Tue, Mar 12, 2013 at 2:03 PM, Hill, Brad <> wrote:
> [Hill, Brad] That's covered in
> but I would certainly appreciate comments to make the behavior more explicit if you feel such is necessary.

I would expect MUST, not SHOULD. I would also expect that to result
from following a set of rules. E.g.

1. If the CSP header is present and contains X, do ...

2. Otherwise, if the CSP header does not contain X, run these substeps:

2.1 If there's a X-Frame-Options header, do ...

To make it completely unambiguous what is expected from implementations.


Received on Tuesday, 12 March 2013 14:09:15 UTC