>> seems to me, this confusion & potential issues are reasons to /not/
>> specify the header name as "Frame-Options" (for now), given
>> "X-FRAME-OPTIONS" apparent wide use.
>
> Sounds OK to me though I'd just want to be careful to do whatever the
> standards process dictates here. I have to imagine there's a precedent we'd
> want to follow.
there isn't much "process" wrt which we choose.
In terms of precedent, AFAIK there's examples of both (a)
documenting/specifying current practice, and (b) documenting/specifying how
proponents would like various practices to evolve.
Given that there's a fair number of web apps (aka websites) emitting
"X-FRAME-OPTIONS" (see below), and given its wide support in web browsers, I
think its justifiable to do (a), then see about (b).
There's a recent I-D, <http://tools.ietf.org/html/draft-saintandre-xdash> 'Use
of the "X-" Prefix in Application Protocols' (being discussed on
<[email protected]>), which argues against its use. But in this case
current practice long predates said "X-" deprecation effort.
thanks,
=JeffH
------
Here's www.shodanhq.com's counts of web apps emitting x-frame-options...
* United States 6,853
* Germany 1,190
* United Kingdom 861
* Japan 793
* Canada 736
Results 1 - 10 of about 16032 for x-frame-options <-- total ?
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
