Should Chrome start supporting the `ALLOW-FROM` value for `X-Frame-Options`?
That was me, yes. Not happy about allowing pages to detect that someone in particular is framing them.
-
-
very unfortunate for devs: “This thing is secure by default except in FX where you have to set this extra header”
-
Secure by default in what sense? Just exposing ancestorOrigins doesn't make anything secure by default...
- 8 more replies
New conversation -
-
-
: `frame-ancestors` (and `ALLOW-FROM` to a much more limited degree) already expose this to brute-forcing.
@cramforce@annevk -
Mmm. I consider that a bug in the design of frame-ancestors. But also, brute-forcing is expensive.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.