[powerful-features] Framing from Richard Barnes on 2015-10-15 (public-webappsec@w3.org from October 2015)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 14 Oct 2015 20:16:16 -0700
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAOAcki8ZXosZxp9dBHgojSSj6anNJUtaE=QNnnwa_3uR=K60Vg@mail.gmail.com>

The ancestor chain features of the Secure Contexts spec seem like they
could cause some unexpected consequences for an HTTPS page, depending on
whether it's framed in HTTP or not.  Perhaps this spec should extend
X-Frame-Options or frame-ancestor to allow the page to specify that it
should only be framed by a secure context?

Received on Thursday, 15 October 2015 03:16:44 UTC