RE: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

X-FRAME-OPTIONS was designed around the idea that users make trust decisions based on the top level trust UI – they simply cannot make a reasonable trust decision about specific unmarked rectangles (frames) that may exist on the page.

The introduction of the sandbox attribute changed the model to enable sites to safely host fully arbitrary, untrusted content in frames.  This change to the model created demand for the suggested ancestor walk.

IMO, we should avoid breaking sites that still subscribe to the old model by keeping the top-only option intact.  However I do agree that top-only should not be the default in CSP UI.

David Ross

-----Original Message-----
From: [] On Behalf Of Anne van Kesteren
Sent: Tuesday, March 12, 2013 7:09 AM
To: Hill, Brad
Cc: Ian Melven; Tobias Gondrom;
Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

On Tue, Mar 12, 2013 at 2:03 PM, Hill, Brad <> wrote:
> [Hill, Brad] That's covered in
> r-interface-safety.html
> but I would certainly appreciate comments to make the behavior more explicit if you feel such is necessary.

I would expect MUST, not SHOULD. I would also expect that to result from following a set of rules. E.g.

1. If the CSP header is present and contains X, do ...

2. Otherwise, if the CSP header does not contain X, run these substeps:

2.1 If there's a X-Frame-Options header, do ...

To make it completely unambiguous what is expected from implementations.


Received on Tuesday, 12 March 2013 20:35:47 UTC