Re: [websec] Pete Resnick's No Objection on draft-ietf-websec-x-frame-options-09: (with COMMENT)
Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 17 August 2013 19:23 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0CFE11E824A for <websec@ietfa.amsl.com>; Sat, 17 Aug 2013 12:23:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.361
X-Spam-Level:
X-Spam-Status: No, score=-95.361 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 564j8e0eM1WQ for <websec@ietfa.amsl.com>; Sat, 17 Aug 2013 12:23:35 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 32E7511E8218 for <websec@ietf.org>; Sat, 17 Aug 2013 12:23:35 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=Ibp6T/nglpl1Lrqj4oGDSzNRvvXPtZ2f8fJEYiS0xoQucN33r7jcDkQp3IiHYuPQFPIXffwozjN43M2mz6EaMM6IP1IvzeY2AH5Z+zPC4JqetFzkw8emtqNhTOsBCHt1; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
Received: (qmail 22015 invoked from network); 17 Aug 2013 21:23:33 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 17 Aug 2013 21:23:33 +0200
Message-ID: <520FCDB4.6050802@gondrom.org>
Date: Sat, 17 Aug 2013 20:23:32 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: presnick@qti.qualcomm.com
References: <20130814221250.16821.99472.idtracker@ietfa.amsl.com> <CALaySJLqwULZc1rxbXaxYRz+hTE5Z3S42F2+LDHVaj_CdivfKg@mail.gmail.com> <520C493C.9080208@qti.qualcomm.com>
In-Reply-To: <520C493C.9080208@qti.qualcomm.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/alternative; boundary="------------050508050600020406070107"
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, barryleiba@computer.org, websec@ietf.org, iesg@ietf.org, websec-chairs@tools.ietf.org
Subject: Re: [websec] Pete Resnick's No Objection on draft-ietf-websec-x-frame-options-09: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2013 19:23:40 -0000
On 15/08/13 04:21, Pete Resnick wrote: > On 8/14/13 5:15 PM, Barry Leiba wrote: >>> Why is this document not on the standards track? >>> >> Because it's not anything we want to tell people to start implementing >> now. We want them to move toward the work we transferred over to >> W3C's WebAppSec group instead. >> > > It's probably worth having a line to that effect somewhere in the > document. > > pr > We do have a respective text in the introduction: "This specification provides informational documentation about the current use and definition of the X-Frame-Options HTTP header field. As described in Section 2.3.2.2 not all browsers implement X-Frame-Options exactly in the sames way, which can lead to unintended results. And given that the "X-" construction is deprecated [RFC6648], the X-Frame-Options header field will in the future be replaced by the Frame-Options directive in the Content Security Policy Version 1.1 [CSP-1-1]" Best regards, Tobias
- Re: [websec] Pete Resnick's No Objection on draft… Barry Leiba
- [websec] Pete Resnick's No Objection on draft-iet… Pete Resnick
- Re: [websec] Pete Resnick's No Objection on draft… Pete Resnick
- Re: [websec] Pete Resnick's No Objection on draft… Tobias Gondrom
- Re: [websec] Pete Resnick's No Objection on draft… Tobias Gondrom