Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]


Brad - no, we don't have any actual data to support assertions that changing
XFO won't break sites.

personally, i think it's very unlikely that just pushing this patch to Nightly will result in 
timely reports of breakage that can be tied to an XFO change - recent history doesn't support that IMO.

i think telemetry is the best way to get data about breakage, but as i've said i'd also
prefer to see CSP frame-options get implemented instead of breaking XFO, particularly
when other browser vendors don't seem interested in doing the same.


----- Original Message -----
From: "Devdatta Akhawe" <>
To: "Brad Hill" <>
Cc: "David Ross" <>, "Anne van Kesteren" <>, "Ian Melven" <>, "Tobias Gondrom" <>,
Sent: Monday, March 18, 2013 10:28:04 AM
Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving?  [UI Security]

> Do any browsers (looking at Moz) have or would be able to provide telemetry illustrating if there are sites that work with top-only and would fail with ancestor-aware checks?  (just wondering about existence, not specific names)

The consensus on the bug seem to be that it might be ok to just push
it to the nightly/aurora channels and see if anything breaks. I might
be wrong: imelven/dveditz can correct me if needed.


Received on Monday, 18 March 2013 21:27:50 UTC