On 6/30/11 9:31 AM, Maciej Stachowiak wrote:
> 
> On Jun 30, 2011, at 7:22 AM, Anne van Kesteren wrote:
>> (Added public-web-security because of the potential for doing
>> this in CSP instead. Though that would require a slight change
>> of scope for CSP, which I'm not sure is actually desirable.)
> 
> I approve of publishing this as FWPD.
> 
> I also don't think it makes sense to tie this to CSP.

Conceptually it's similar to the CSP frame-ancestors
directive--which we've decided doesn't fit in CSP either. Most of
CSP is "can load" while frame-ancestors was "can be loaded by".
We've proposed that the frame-ancestors functionality be moved into
an expanded/standardized X-Frame-Options mechanism, but a
standardized "From-Origin" would work just as well (better?).

It may still make sense to put From-Origin in the WebSecurity
(not-quite) WG along with CORS rather than free floating in WebApps.
But I don't have strong feelings about that. Mozilla would be
interested in implementing this feature regardless.

-Dan Veditz

Reply via email to