AllAncestors sounds good to me. David Ross dr...@microsoft.com
-----Original Message----- From: Giorgio Maone [mailto:g.ma...@informaction.com] Sent: Saturday, February 18, 2012 12:33 AM To: Adam Barth Cc: David Ross; Eduardo' Vela; IETF WebSec WG; Michal Zalewski Subject: Re: [websec] Frame-Options header and intermediate frames On 18/02/2012 09:06, Adam Barth wrote: > On Fri, Feb 17, 2012 at 5:14 PM, David Ross<dr...@microsoft.com> wrote: here's a good argument that sites attempting to avoid attacks such as phishing and clickjacking would not want to frame arbitrary content. Users really only have an easy way to make immediate and valid trust decisions about the origin of the top level page, not frames contained within those pages. But sites that frame arbitrary content do exist in the real world, for better or worse. While there are different philosophical viewpoints on cross-domain framing, there doesn't seem to be any reason to avoid creating a ValidateAllAncestors flag on Frame-Options which would instruct the browser to validate the URL of each hosting frame up to the top level. Given this, sites that frame arbitrary content could at least make use of SAMEORIGIN and ALLOW-FROM for their intended purpose. >> >> We'd like to get the intermediate frame issue documented and describe the >> optional ValidateAllAncestors flag in the RFC draft. > > That sounds like a reasonable way to extend the existing syntax. It's > slightly ugly Would just "AllAncestors" be clear enough? -- G _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec