- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 12 Mar 2013 18:44:08 -0700
- To: David Ross <dross@microsoft.com>
- CC: Anne van Kesteren <annevk@annevk.nl>, "Hill, Brad" <bhill@paypal-inc.com>, Ian Melven <imelven@mozilla.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/12/2013 1:33 PM, David Ross wrote: > X-FRAME-OPTIONS was designed around the idea that users make trust > decisions based on the top level trust UI – they simply cannot make a > reasonable trust decision about specific unmarked rectangles (frames) > that may exist on the page. > > The introduction of the sandbox attribute changed the model to enable > sites to safely host fully arbitrary, untrusted content in frames. > This change to the model created demand for the suggested ancestor > walk. _Users_ make trust decisions based on the topmost URL, but that's not the problem here. The "ancestor walk" in Mozilla's original frame-ancestors feature was based on site content (not users) deciding which sites they trust to frame them without attempting any tricks. The user may "trust" randomunknown.com to show them a cat video without having any idea it's framing their bank. It had nothing to do with <iframe sandbox> which we had not considered implementing at that time. Rather, we were worried that a complex domain like Google or Facebook may frame some of its own content, but may also frame partner domains on other parts of its site. For example, Twitter streams can frame YouTube videos, but I bet if Twitter relies on XFO: SAMEORIGIN anywhere they aren't entirely happy having to trust that YouTube won't suffer an XSS bug. -Dan Veditz
Received on Wednesday, 13 March 2013 01:44:40 UTC