On 6/30/11 9:31 AM, Maciej Stachowiak wrote: > > On Jun 30, 2011, at 7:22 AM, Anne van Kesteren wrote: >> (Added public-web-security because of the potential for doing >> this in CSP instead. Though that would require a slight change >> of scope for CSP, which I'm not sure is actually desirable.) > > I approve of publishing this as FWPD. > > I also don't think it makes sense to tie this to CSP.
Conceptually it's similar to the CSP frame-ancestors directive--which we've decided doesn't fit in CSP either. Most of CSP is "can load" while frame-ancestors was "can be loaded by". We've proposed that the frame-ancestors functionality be moved into an expanded/standardized X-Frame-Options mechanism, but a standardized "From-Origin" would work just as well (better?). It may still make sense to put From-Origin in the WebSecurity (not-quite) WG along with CORS rather than free floating in WebApps. But I don't have strong feelings about that. Mozilla would be interested in implementing this feature regardless. -Dan Veditz