Re: [websec] WGLC for X-Frame-Options

Julian Reschke Tue, 06 Nov 2012 08:26:41 -0800

On 2012-11-06 00:19, Alexey Melnikov wrote:

Here is my review (with my co-chair hat off):


[RFC3986] should be a Normative reference (as it is required to
parse/generate
a valid X-Frame-Options header field).

[RFC6454] is normative, because there is a SHOULD requirement to use it.

In Section 2.1:

   The ALLOW-FROM URI MUST be valid.

I don't know what this mean exactly. Can you elaborate?

2.2.  Backus-Naur Form (BNF)

    The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:

Which makes [RFC0822] Normative.

          X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
                                  ("ALLOW-FROM" ":" URI)

    With URI as defined in [RFC3986]
    [TBD] Or should we use the ABNF (RFC 2234) alternatively to EBNF or
    in addition?

Yes, you should use RFC 5234. This probably means inserting "[WSP]" in
various
places, but I think that would be much better.
...


Almost.

You should reference HTTPbis Part 1, and, in particular, *only* definethe ABNF for the field value.


Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] WGLC for X-Frame-Options

Reply via email to