ACTION-174: Raise frame-ancestors/fetch/neterror on list
Raise frame-ancestors/fetch/neterror on list
- State:
- closed
- Person:
- Mike West
- Due on:
- November 3, 2014
- Created on:
- May 7, 2014
- Associated Product:
- CSP Level 2
- Related emails:
- No related emails
Related notes:
Is the Fetch integration algorithm that defines failures due to CSP as a network error adequate to handle frame-ancestors violations? What does X-Frame-Options do today?
---------
Context from telecon follows:
CSP, Fetch, and frame-ancestors
http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0051.html
<wseltzer> ACTION: wseltzer to talk with plh about FETCH and CSP, invite conversation with WebAppSec [recorded in http://www.w3.org/2014/05/07-webappsec-minutes.html#action01]
<trackbot> Created ACTION-173 - Talk with plh about fetch and csp, invite conversation with webappsec [on Wendy Seltzer - due 2014-05-14].
<grobinson> Did anyone else just get booted from the call?
<grobinson> will do
dveditz: like X-Frame-Options, may not be modeled in terms of Fetch, which is document-based, and doesn't have a notion of nested browsing contexts
<devd> bhill2: XFO/frame-ancestors happens after the document is in the browser and we walk up the tree
<devd> mkwst_: so maybe this needs to be part of the HTML spec
mkwst: if we define failure of frame-ancestors as throwing a network error, that comes from fetch today
<devd> mkwst_: but the problem is that we treat frame-ancestors/XFO as network error
<devd> bhill2: maybe the more analagous behavior is how to deal with broken XML
<devd> bhill2: because we got the content but the client can't render it
Act as if empty 200 response, and should be sandboxed into a unique origin - this prevents the parent page from determining if cross-origin content loaded successfully or not.
Brad Hill, 27 Oct 2014, 17:16:18Display change log.