> I agree that Firefox should support X-Frame-Options. It should be > trivial to support now with the plumbing we added for CSP.
There is a slight difference between X-F-O: SameOrigin and the CSP equivalent above. X-F-O only checks the origin of the out-most page, whereas CSP checks every frame along the way. > I'm not sure this is necessary. Couldn't the two specs be considered > orthogonal? X-F-O will either block the frame or not, and same for > X-CSP. So if one or both say block, then we block, otherwise we allow. Good point. I'm looking forward to trying out CSP when it lands on the trunk. I see various patches are being reviewed so hopefully it won't be long now. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
