W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: proposal: move frame-options directive out of UI safety spec into CSP 1.1

From: Mike West <mkwst@google.com>
Date: Mon, 21 Oct 2013 11:24:34 +0200
Message-ID: <CAKXHy=d1d=F9iTvm44qYnUyu9DwOVvqBzrwf30nRT0DswtkQKA@mail.gmail.com>
To: Ian Melven <ian.melven@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
As an aside: Blink changed XFO's SAMEORIGIN behavior to check all
ancestors. That's in Canary/Dev channels right now, but it's entirely
possible we'll have to roll that out as bug reports flow in.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores


On Wed, Oct 9, 2013 at 12:01 AM, Ian Melven <ian.melven@gmail.com> wrote:

>
> For what my personal opinion is worth, I am very strongly in favour of
> this. Largely because, unlike XFO,
> frame-options was always specified to check all ancestors IIRC - hence
> there should be less confusion
> around the implementation and usage.
>
> Thank you for suggesting it, Dan.
>
> ian
>
>
>
> On Tue, Oct 8, 2013 at 2:54 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>
>> I'd like to move the frame-options directive out of the UI safety
>> speclet and into CSP proper. The X-Frame-Options header is growing in
>> usage across the web and I'd like its replacement to be solidified into
>> a spec that is actively being finished up rather than in the more
>> nebulous UI Safety spec.
>>
>> -Dan Veditz
>>
>>
>
Received on Monday, 21 October 2013 09:25:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC