There were a number of factors in dropping the frame chain stuff, and
yeah, we made a somewhat abrupt change in direction.
In general, the *chain of requests* (i.e., redirects and referrer) that
cause a document to load and the *layout context* in which a document
will be rendered seem to be useful in different cases; the data points
for "how you get something" versus "what you do with it" solve pretty
orthogonal problems and we don't want to add complexity to
Origin/Sec-From if it means a significant delay in adoption.
Knowing the frame chain is indeed useful, but it seems helpful when
solving problems different from those originally targeted by
Origin/Sec-From. For example, clickjacking prevention (one of the uses
for the layout context or frame tree) seems most appropriate on the
client side where the framing takes place, so it seems to me that
sending this data to the server might not be a best course of action.
We have other features in the works that will hopefully fill the need
for clickjacking prevention (CSP for example[1]). It also doesn't hurt
to line up with the Sec-From specification to end up with a more-or-less
standard idea of what should be implemented.
-Sid
[0] https://wiki.mozilla.org/Security/CSP
On 7/13/09 3:03 PM, Bil Corry wrote:
Thanks for clarifying the proposal; what through me off was the wiki history
page indicates that it was last updated less than a month ago, so I wanted to
double-check that the frame-support was being dropped.
And just out of curiosity, is frame support being dropped because it's not
useful, it's challenging to implement, just strictly to be in line with
Sec-From, or for some other reason?
- Bil
Sid Stamm wrote on 7/13/2009 4:37 PM:
We are indeed planning to revise our spec to be in line with Adam
Barth's Sec-From proposal and, like he mentioned on IETF-HTTP-WG, drop
frame support. [1] is pretty out of date and I plan to replace it with
something more accurate by the end of the week.
On 7/13/09 2:20 PM, Bil Corry wrote:
What are the plans for Mozilla's Origin proposal[1] given that the
CORS Origin header[2] and Barth's Sec-From header[3] are possibly
going to be merged into a single specification? I believe the largest
difference is the handling of frames in the Mozilla proposal. I
brought this question up on the IETF-HTTP-WG list and Adam Barth
indicated that he thought Mozilla would be withdrawing frame support[4].
- Bil
[1] https://wiki.mozilla.org/Security/Origin
[2] http://www.w3.org/TR/cors/#origin-request-header
[3] http://tools.ietf.org/html/draft-abarth-origin-01
[4] http://lists.w3.org/Archives/Public/ietf-http-wg/2009JulSep/0084.html
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
