thanks to Dave and Tobias for writing up this spec.
+1 to other folks' comments on this draft.
I suggest an explicit statement such as..
The purpose of this specification is to document existing practice.
..should appear in the abstract and the intoduction.
It appears to me that there's various editorial roughness even beyond the prior
comments that will be caught by the RFC editor (given my recent experience);
the document would benefit from a thorough editorial pass.
one item I just noticed that's not mentioned by others it seems is that they
header field name in S4.1. Registration Template is..
Header field name: X-Frame-Option
..yet it is referred to as "X-Frame-Options" in the rest of the spec (note the
final "s" in the latter, but not in the former). It appears from..
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
..that the latter is the correct form that ought to be registered with IANA ?
I wonder if also a note will be necessary to explain the use of the "X-" prefix
in light of...
6648 Deprecating the "X-" Prefix and Similar Constructs in Application
Protocols. P. Saint-Andre, D. Crocker, M. Nottingham. June 2012.
HTH,
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
