Re: [websec] Ted Lemon's No Objection on draft-ietf-websec-x-frame-options-09: (with COMMENT)
Ted Lemon <ted.lemon@nominum.com> Wed, 14 August 2013 21:49 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8DFC21F90CC; Wed, 14 Aug 2013 14:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p9Z3fxBakGxc; Wed, 14 Aug 2013 14:49:30 -0700 (PDT)
Received: from exprod7og125.obsmtp.com (exprod7og125.obsmtp.com [64.18.2.28]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6FC21F8C4C; Wed, 14 Aug 2013 14:49:30 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob125.postini.com ([64.18.6.12]) with SMTP ID DSNKUgv7aZka8cx1EHc+AcZjTtYSKrbwHHdg@postini.com; Wed, 14 Aug 2013 14:49:30 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 73D531B82A8; Wed, 14 Aug 2013 14:49:29 -0700 (PDT)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id 57E8919006C; Wed, 14 Aug 2013 14:49:29 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from [192.168.1.2] (192.168.1.10) by CAS-01.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.2.318.4; Wed, 14 Aug 2013 14:49:29 -0700
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 7.0 \(1793.4\))
From: Ted Lemon <ted.lemon@nominum.com>
In-Reply-To: <520BF1AB.5000103@gondrom.org>
Date: Wed, 14 Aug 2013 17:49:25 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <0B70B4E8-0375-414F-B529-52D3EE0E275B@nominum.com>
References: <20130814175121.16080.58938.idtracker@ietfa.amsl.com> <520BF1AB.5000103@gondrom.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
X-Mailer: Apple Mail (2.1793.4)
X-Originating-IP: [192.168.1.10]
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Ted Lemon's No Objection on draft-ietf-websec-x-frame-options-09: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 21:49:37 -0000
On Aug 14, 2013, at 5:07 PM, Tobias Gondrom <tobias.gondrom@gondrom.org> wrote: > I had the hope with referring to RFC6454 this should be unambiguous and > clear enough. I had the hesitation to write redundant text, but maybe I > got too short. Do you think we need to spell it out more explicitly in > the draft so people understand? How about: Existing implementations differ with [RFC6454] in that origins with the same protocol but different port values are considered equivalent. >> What is the distinction between "top-level browsing context" and "origin >> of the framing page?" A reference here would be helpful. > Apologies. In this case I have hesitations to add an explanation about > the nesting of frames in html. In general the concept of nested frames > (and top-level vs. framing page) is reasonably understood. > [will keep the text as is until I hear an argument that this really > needs an explanation in this draft.] The additional text that you added in your reply helps a little—it appears that "top-level browsing context" means "the HTML that is loaded first and that contains whatever nesting might occur" and perhaps that "origin of the framing page" refers somehow to the idea of nested frames. But even with the help you've given me in your reply, I am not sure that I have this right, and indeed I am scratching my head trying to figure out what the difference is between these two contexts. As a person who writes HTML fairly regularly, I think I am your intended target audience. If so, you really do need to explain what these terms mean, or provide a reference to a document that explains them.
- [websec] Ted Lemon's No Objection on draft-ietf-w… Ted Lemon
- Re: [websec] Ted Lemon's No Objection on draft-ie… Tobias Gondrom
- Re: [websec] Ted Lemon's No Objection on draft-ie… Ted Lemon
- Re: [websec] Ted Lemon's No Objection on draft-ie… Tobias Gondrom