Re: proposal: move frame-options directive out of UI safety spec into CSP 1.1

FWIW, there's a bug (with a patch) to check all ancestors for SAMEORIGIN
for Gecko (and now that IE
and potentially Blink has done this, I don't think there's any objections)
but it seems to have stalled out at the moment.

Please do keep us (the webappsec list) posted on whether Blink experiences
any breakage and this change ends up being backed out if you don't mind.

thanks Mike !

ian



On Mon, Oct 21, 2013 at 2:24 AM, Mike West <mkwst@google.com> wrote:

> As an aside: Blink changed XFO's SAMEORIGIN behavior to check all
> ancestors. That's in Canary/Dev channels right now, but it's entirely
> possible we'll have to roll that out as bug reports flow in.
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>
>
> On Wed, Oct 9, 2013 at 12:01 AM, Ian Melven <ian.melven@gmail.com> wrote:
>
>>
>> For what my personal opinion is worth, I am very strongly in favour of
>> this. Largely because, unlike XFO,
>> frame-options was always specified to check all ancestors IIRC - hence
>> there should be less confusion
>> around the implementation and usage.
>>
>> Thank you for suggesting it, Dan.
>>
>> ian
>>
>>
>>
>> On Tue, Oct 8, 2013 at 2:54 PM, Daniel Veditz <dveditz@mozilla.com>wrote:
>>
>>> I'd like to move the frame-options directive out of the UI safety
>>> speclet and into CSP proper. The X-Frame-Options header is growing in
>>> usage across the web and I'd like its replacement to be solidified into
>>> a spec that is actively being finished up rather than in the more
>>> nebulous UI Safety spec.
>>>
>>> -Dan Veditz
>>>
>>>
>>
>