On 2013-02-11 23:09, Hill, Brad wrote:
This bug at Mozilla was recently brought to my attention:
https://bugzilla.mozilla.org/show_bug.cgi?id=836132
It seems to indicate that the specified EBNF of using a colon between
"ALLOW-FROM" and the URI is not the actual behavior of most user agents that
implement that functionality.
Perhaps we should update this to reflect the predominant implementation in the
field. (Internet Explorer's)
-Brad
Removing the colon (*not* making it optional) would also be consistent
with the description in
<http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx>.
Note that the ABNF needs to be updated to RFC 5234 syntax anyway, and
that it should only describe the header field value, such as:
X-Frame-Options = "DENY"
/ "SAMEORIGIN"
/ ("ALLOW-FROM" RWS URI)
RWS = <RWS, as defined by HTTPbis, P1>
URI = <URI, as defined in RFC3986, Section 3>
(we may want to discuss restricting URI to scheme + authority, though).
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
