- From: Ian Melven <imelven@mozilla.com>
- Date: Mon, 18 Mar 2013 14:27:22 -0700 (PDT)
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: David Ross <dross@microsoft.com>, Anne van Kesteren <annevk@annevk.nl>, Tobias Gondrom <tobias.gondrom@gondrom.org>, public-webappsec@w3.org, Brad Hill <bhill@paypal-inc.com>
Hi,
Brad - no, we don't have any actual data to support assertions that changing
XFO won't break sites.
personally, i think it's very unlikely that just pushing this patch to Nightly will result in
timely reports of breakage that can be tied to an XFO change - recent history doesn't support that IMO.
i think telemetry is the best way to get data about breakage, but as i've said i'd also
prefer to see CSP frame-options get implemented instead of breaking XFO, particularly
when other browser vendors don't seem interested in doing the same.
thanks,
ian
----- Original Message -----
From: "Devdatta Akhawe" <dev.akhawe@gmail.com>
To: "Brad Hill" <bhill@paypal-inc.com>
Cc: "David Ross" <dross@microsoft.com>, "Anne van Kesteren" <annevk@annevk.nl>, "Ian Melven" <imelven@mozilla.com>, "Tobias Gondrom" <tobias.gondrom@gondrom.org>, public-webappsec@w3.org
Sent: Monday, March 18, 2013 10:28:04 AM
Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]
> Do any browsers (looking at Moz) have or would be able to provide telemetry illustrating if there are sites that work with top-only and would fail with ancestor-aware checks? (just wondering about existence, not specific names)
>
The consensus on the bug seem to be that it might be ok to just push
it to the nightly/aurora channels and see if anything breaks. I might
be wrong: imelven/dveditz can correct me if needed.
--dev
Received on Monday, 18 March 2013 21:27:50 UTC