On 7/8/11 3:41 PM, =JeffH wrote: >>> seems to me, this confusion & potential issues are reasons to /not/ >>> specify the header name as "Frame-Options" (for now), given >>> "X-FRAME-OPTIONS" apparent wide use. >> >> Sounds OK to me though I'd just want to be careful to do whatever the >> standards process dictates here. I have to imagine there's a > precedent we'd >> want to follow. > > there isn't much "process" wrt which we choose. > > In terms of precedent, AFAIK there's examples of both (a) > documenting/specifying current practice, and (b) documenting/specifying > how proponents would like various practices to evolve. > > Given that there's a fair number of web apps (aka websites) emitting > "X-FRAME-OPTIONS" (see below), and given its wide support in web > browsers, I think its justifiable to do (a), then see about (b). > > There's a recent I-D, > <http://tools.ietf.org/html/draft-saintandre-xdash> 'Use of the "X-" > Prefix in Application Protocols' (being discussed on > <[email protected]>), which argues against its use. But in this case > current practice long predates said "X-" deprecation effort.
Correct. This is a perfect example of how parameters leak out from the non-standard space into the standard space. Thus "X-" is unnecessary: someone could've just called it "Frame-Options" to start with. But as you say, that train has left the station... Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
