On 2012-05-04 01:58, Adam Barth wrote:
In http://tools.ietf.org/html/draft-gondrom-frame-options-02 we're introducing a new HTTP header called Frame-Options. Is there a particular reason to create yet-another-HTTP-header for carrying this security policy? Rather than inventing a new HTTP header, we can use the extensible Content-Security-Policy header. ...
Well, the header field already exists as "x-frame-options", so the only thing new here is that there's a spec, and that it's promoting a prefix-less name.
I have no opinion on whether it should be a CSP directive, but a goal should be to document what's out there, even if we don't like it. In *particular* if it is related to security, and used in practice.
Best regards, Julian _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
