Re: [websec] WGLC feedback for X-Frame-Options

=JeffH <> Thu, 08 November 2012 16:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5AA4B21F8471 for <>; Thu, 8 Nov 2012 08:47:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.349
X-Spam-Status: No, score=-102.349 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yH60FMRhDP+0 for <>; Thu, 8 Nov 2012 08:47:06 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 5EA6221F8433 for <>; Thu, 8 Nov 2012 08:47:06 -0800 (PST)
Received: (qmail 4879 invoked by uid 0); 8 Nov 2012 16:46:42 -0000
Received: from unknown (HELO ( by with SMTP; 8 Nov 2012 16:46:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=Cqnd+kdIlvV3un6Z3DClkNaFI73dwGCU7S8dEKuhRbI=; b=AFcWza1i1rzkcJCT/kMUeRNbdpANH8y7z+eHXq9x0wQMART8Dn2REe/P5fQSMZsYY0WGmVB9Ok1YvbWUgKqsO3eu9qM686WD1RXxirb/I3mF8+PPxam06lc9WP9JK1jN;
Received: from [] (port=50146) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1TWVFZ-0001vQ-MV for; Thu, 08 Nov 2012 09:46:41 -0700
Message-ID: <>
Date: Thu, 08 Nov 2012 08:46:40 -0800
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: IETF WebSec WG <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [websec] WGLC feedback for X-Frame-Options
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Nov 2012 16:47:07 -0000

thanks to Dave and Tobias for writing up this spec.

+1 to other folks' comments on this draft.

I suggest an explicit statement such as..

   The purpose of this specification is to document existing practice.

..should appear in the abstract and the intoduction.

It appears to me that there's various editorial roughness even beyond the prior 
comments that will be caught by the RFC editor (given my recent experience); 
the document would benefit from a thorough editorial pass.

one item I just noticed that's not mentioned by others it seems is that they 
header field name in S4.1.  Registration Template is..

   Header field name: X-Frame-Option

..yet it is referred to as "X-Frame-Options" in the rest of the spec (note the 
final "s" in the latter, but not in the former). It appears from..

..that the latter is the correct form that ought to be registered with IANA ?

I wonder if also a note will be necessary to explain the use of the "X-" prefix 
in light of...

6648 Deprecating the "X-" Prefix and Similar Constructs in Application
      Protocols. P. Saint-Andre, D. Crocker, M. Nottingham. June 2012.