In "2.3.1. Enable HTML content from other domains", the object tag is mentioned in addition to frame and iframe. This list should also include the applet and embed tags, although user agent behavior may not be consistent on this.
In "5. Security Considerations", it should be mentioned that current implementations do not check the entire ancestor tree of the protected resource, and this may expose the resource to attack in multiply-nested scenarios. For example, if a resource on origin A embeds untrusted content from origin B, that untrusted content can embed another resource from origin A with an X-Frame-Options: SAMEORIGIN policy and that check will pass if the user agent only verifies the top-level browsing context. It should also probably be mentioned that X-Frame-Options MUST be sent as an HTTP header and is explicitly ignored by user agents when declared with a meta http-equiv tag. -Brad Hill > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Yoav Nir > Sent: Tuesday, October 23, 2012 6:40 PM > To: IETF WebSec WG > Subject: [websec] WGLC for X-Frame-Options > > Hi all > > This is to initiate WGLC for the X-Frame-Options draft (not to be confused > with the Frame-Options draft). > > Please go to http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01, > read the draft and send comments. > > As usual, we would very much like to hear comments about clarity, > thoroughness and applicability. Since this draft documents existing behavior, > rather than prescribing future behavior, we would especially like to hear from > people familiar with current implementations that support the X-Frame- > Option header about whether the draft accurately describes the behavior of > those implementations. > > WGLC is usually for two weeks. However, the following two weeks include an > IETF meeting, so I am extending this period to a little over three weeks. WGLC > will end on Friday, November 16th. Please send your comments early, so that > we might use our session in Atlanta to discuss issues that come up. > > Yoav > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
