- From: Richard Barnes <rbarnes@mozilla.com>
- Date: Wed, 14 Oct 2015 20:16:16 -0700
- To: WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 15 October 2015 03:16:44 UTC
The ancestor chain features of the Secure Contexts spec seem like they could cause some unexpected consequences for an HTTPS page, depending on whether it's framed in HTTP or not. Perhaps this spec should extend X-Frame-Options or frame-ancestor to allow the page to specify that it should only be framed by a secure context?
Received on Thursday, 15 October 2015 03:16:44 UTC