'frame-options' and 'deny'. from Mike West on 2013-11-27 (public-webappsec@w3.org from November 2013)

From: Mike West <mkwst@google.com>
Date: Wed, 27 Nov 2013 12:02:31 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Brad Hill <bhill@paypal-inc.com>, Dan Veditz <dveditz@mozilla.com>, Garrett Robinson <grobinson@mozilla.com>
Message-ID: <CAKXHy=fmq7qQreiQaCXGUyf5UDhyThZx0en9VT6EchjTWfg=HQ@mail.gmail.com>

I'm starting to play around with an implementation of the 'frame-options'
directive for Blink.

Based on that (brief) experience, I have two related suggestions:

1. Change the name to match Mozilla's 'frame-ancestors'
2.  Replace the 'deny' keyword with 'none'.

Doing both would make processing the directive entirely similar to other
source-list directives.

The risks of doing so are:

1. Folks already using 'frame-ancestors' would be subject to the more
strict ancestor-checking in the current spec. I can't really judge how much
of a concern this is. Mozilla folks: do you have an idea how widely-used
the current behavior is?

2. We close the door on other "options" in the future. Are there other
things planned that would make the (not terribly painful) pain of
implementing another directive parser worthwhile?

Thanks!

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores

Received on Wednesday, 27 November 2013 11:03:21 UTC