Jeff,
actually part of doing frame-option was also inspired by Peter's "X-"draft.
You may be right and we could do a two-step approach and first document
existing "X-Frame-Options" and then move forward. But actually I do not
see much benefit of writing two drafts, the first describing existing
X-Frame-Options further as there already is some sufficient documentation.
So I hoped to get both steps in one go by getting rid of the "X-" and
making this an IETF standard "Frame-Options".
Kind regards, Tobias
On 08/07/11 22:56, Peter Saint-Andre wrote:
On 7/8/11 3:41 PM, =JeffH wrote:
seems to me, this confusion& potential issues are reasons to /not/
specify the header name as "Frame-Options" (for now), given
"X-FRAME-OPTIONS" apparent wide use.
Sounds OK to me though I'd just want to be careful to do whatever the
standards process dictates here. I have to imagine there's a
precedent we'd
want to follow.
there isn't much "process" wrt which we choose.
In terms of precedent, AFAIK there's examples of both (a)
documenting/specifying current practice, and (b) documenting/specifying
how proponents would like various practices to evolve.
Given that there's a fair number of web apps (aka websites) emitting
"X-FRAME-OPTIONS" (see below), and given its wide support in web
browsers, I think its justifiable to do (a), then see about (b).
There's a recent I-D,
<http://tools.ietf.org/html/draft-saintandre-xdash> 'Use of the "X-"
Prefix in Application Protocols' (being discussed on
<[email protected]>), which argues against its use. But in this case
current practice long predates said "X-" deprecation effort.
Correct. This is a perfect example of how parameters leak out from the
non-standard space into the standard space. Thus "X-" is unnecessary:
someone could've just called it "Frame-Options" to start with. But as
you say, that train has left the station...
Peter
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
