> On Fri, May 4, 2012 at 12:11 AM, Julian Reschke <[email protected]> wrote:
>> On 2012-05-04 01:58, Adam Barth wrote:
>>> In http://tools.ietf.org/html/draft-gondrom-frame-options-02 we're
>>> introducing a new HTTP header called Frame-Options. Is there a
>>> particular reason to create yet-another-HTTP-header for carrying this
>>> security policy? Rather than inventing a new HTTP header, we can use
>>> the extensible Content-Security-Policy header.
>>> ...
>>
>> Well, the header field already exists as "x-frame-options", so the only
>> thing new here is that there's a spec, and that it's promoting a prefix-less
>> name.
>>
>> I have no opinion on whether it should be a CSP directive, but a goal should
>> be to document what's out there, even if we don't like it. In *particular*
>> if it is related to security, and used in practice.
>
> Yes, I agree that we should document the existing X-Frame-Options
> header. However, the Frame-Options header doesn't yet exist. Rather
> than introduce it, I wonder if we'd be better off making the
> "unprefixed" version a CSP directive rather than an HTTP header.
To hopefully clarify here, there's indeed an intended Informational track draft
regarding the "x-frame-options" header field such that it's documented in a
referenceable spec (rather than only a blog post)..
https://tools.ietf.org/html/draft-gondrom-x-frame-options-00
And then there's the "frame-options" draft which is proposing (as Adam notes) a
new header field along with some functionality that's beyond the existing
"x-frame-options" mechanism..
http://tools.ietf.org/html/draft-gondrom-frame-options-02
It's w.r.t. this latter draft that Adam is wondering whether we could simply
specify a new directive for the content security policy header (CSP) rather
than invent yet another header field.
Also note that as of 24-Apr, both of the above drafts are accepted as WG
drafts, but it seems they haven't yet been re-issued with new filenames (see
msg from Alexey to websec@ on Tue, 24 Apr 2012 18:29:13 +0100)
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
