On Fri, May 4, 2012 at 12:11 AM, Julian Reschke <[email protected]> wrote: > On 2012-05-04 01:58, Adam Barth wrote: >> In http://tools.ietf.org/html/draft-gondrom-frame-options-02 we're >> introducing a new HTTP header called Frame-Options. Is there a >> particular reason to create yet-another-HTTP-header for carrying this >> security policy? Rather than inventing a new HTTP header, we can use >> the extensible Content-Security-Policy header. >> ... > > Well, the header field already exists as "x-frame-options", so the only > thing new here is that there's a spec, and that it's promoting a prefix-less > name. > > I have no opinion on whether it should be a CSP directive, but a goal should > be to document what's out there, even if we don't like it. In *particular* > if it is related to security, and used in practice.
Yes, I agree that we should document the existing X-Frame-Options header. However, the Frame-Options header doesn't yet exist. Rather than introduce it, I wonder if we'd be better off making the "unprefixed" version a CSP directive rather than an HTTP header. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
