On 14/08/13 18:33, Ted Lemon wrote: > On Aug 14, 2013, at 12:55 PM, Yoav Nir <[email protected]> wrote: >> The charter mandate was to just document. I think advise to web masters >> might be in scope, but advise for browser makers (for example, how to >> harmonize the implementations) is not. > The document seems to currently contain quite a bit of advice for browser > makers, and certainly for plugin makers. If the above statement is really > true, that advice seems like it's out of scope. If the above statement is > not true, then the advice ought to be complete. > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec
Ted, it is a balancing act: the depth of advise is proportionate to the correlation of the different implementations. So e.g. where implementations are in sync, the advise is more detailed. We could add a section on the how to handle nested frames, but as we have two diverging major browser implementations in this point, that didn't feel very productive, especially as we have the hope that CSP1.1 will replace X-Frame-Options in the future. Best regards, Tobias
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
