On 14/08/13 17:30, Barry Leiba wrote: >> It's interesting to note that this draft says there's a problem with >> folks not checking the origins of the entire ancestor tree of names of >> the framing resource - but then doesn't say that sounds like a good idea >> do it. I can see the argument that might be made that this draft is just >> documenting what's done now, but shouldn't we take the opportunity to do >> more and recommend something along the lines of "The entire ancestor tree >> of names of the framing resource SHOULD be checked to mitigate the risk >> of attacks in multiple-nested scenarios" or something like that? > It seems that that should be work for the W3C folks who are working on > the successor mechanism. This really *is* just meaning to document > what's in use now, warts and all. > > Barry I agree with Barry. (And we gave according input to WebAppSec at W3C when we handed over the goal for CSP1.1.)
Best regards, Tobias
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
