W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

From: Ian Melven <imelven@mozilla.com>
Date: Mon, 18 Mar 2013 14:27:22 -0700 (PDT)
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: David Ross <dross@microsoft.com>, Anne van Kesteren <annevk@annevk.nl>, Tobias Gondrom <tobias.gondrom@gondrom.org>, public-webappsec@w3.org, Brad Hill <bhill@paypal-inc.com>
Message-ID: <167383303.3721678.1363642042791.JavaMail.root@mozilla.com>


Brad - no, we don't have any actual data to support assertions that changing
XFO won't break sites.

personally, i think it's very unlikely that just pushing this patch to Nightly will result in 
timely reports of breakage that can be tied to an XFO change - recent history doesn't support that IMO.

i think telemetry is the best way to get data about breakage, but as i've said i'd also
prefer to see CSP frame-options get implemented instead of breaking XFO, particularly
when other browser vendors don't seem interested in doing the same.


----- Original Message -----
From: "Devdatta Akhawe" <dev.akhawe@gmail.com>
To: "Brad Hill" <bhill@paypal-inc.com>
Cc: "David Ross" <dross@microsoft.com>, "Anne van Kesteren" <annevk@annevk.nl>, "Ian Melven" <imelven@mozilla.com>, "Tobias Gondrom" <tobias.gondrom@gondrom.org>, public-webappsec@w3.org
Sent: Monday, March 18, 2013 10:28:04 AM
Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving?  [UI Security]

> Do any browsers (looking at Moz) have or would be able to provide telemetry illustrating if there are sites that work with top-only and would fail with ancestor-aware checks?  (just wondering about existence, not specific names)

The consensus on the bug seem to be that it might be ok to just push
it to the nightly/aurora channels and see if anything breaks. I might
be wrong: imelven/dveditz can correct me if needed.

Received on Monday, 18 March 2013 21:27:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC