From: [email protected] [mailto:[email protected]] On Behalf Of Tobias Gondrom Sent: Wednesday, August 14, 2013 9:42 AM To: [email protected]; [email protected] Cc: [email protected]; [email protected]; [email protected]; [email protected] Subject: Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
On 14/08/13 17:30, Barry Leiba wrote: It's interesting to note that this draft says there's a problem with folks not checking the origins of the entire ancestor tree of names of the framing resource - but then doesn't say that sounds like a good idea do it. I can see the argument that might be made that this draft is just documenting what's done now, but shouldn't we take the opportunity to do more and recommend something along the lines of "The entire ancestor tree of names of the framing resource SHOULD be checked to mitigate the risk of attacks in multiple-nested scenarios" or something like that? It seems that that should be work for the W3C folks who are working on the successor mechanism. This really *is* just meaning to document what's in use now, warts and all. Barry I agree with Barry. (And we gave according input to WebAppSec at W3C when we handed over the goal for CSP1.1.) Best regards, Tobias ----------------- And the ancestor walking behavior is what we have specified in the successor at W3C. -Brad Hill _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
