[Webkit-unassigned] [Bug 94836] Support for X-Frame-Options: Allow-From [uri]

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=94836





--- Comment #11 from Adam Barth <abarth at webkit.org>  2013-04-16 21:58:26 PST ---
> We were looking at it because it's been in the IETF draft for some time (http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01) and has utility we're interested in.

The IETF websec working group has not addressed my WGLC feedback on this aspect of draft-ietf-websec-x-frame-options:

http://www.ietf.org/mail-archive/web/websec/current/msg01459.html

> I'm failing at finding relevant threads in the webappsec archives that demonstrate this controversy.  Have any pointers?

I couldn't find a good email thread in quick search.  The basic issue is that allow-from is basically the same thing as a source-expression from CSP but uses an incompatible syntax.

The current agreement in both the IETF websec working group and the W3C WebAppSec working group is to not add any new features to X-Frame-Options (including allow-from) and instead make frame-options into a CSP directive.

The final point of controversy is whether to let the web site specify multiple values for the frame-options directive (i.e., whether to allow a source-list like other CSP directives or whether to restrict frame-options to a single source-expression).

I'd recommend not implementing allow-from in X-Frame-Options until these issues are resolved.  I'd expect the likely outcome to be a frame-options CSP directive that either takes a source-list or a source-expression.

The W3C WebAppSec working group has a face-to-face meeting on April 25-26 where I'd expect these issues to be hammered out.  If you're interested in these topics, I'd encourage you to attend.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.