Should Chrome start supporting the `ALLOW-FROM` value for `X-Frame-Options`?
-
-
Replying to @mikewest
Yes. But only if you can get Firefox to support location.ancestorOrigins as well.
1 reply 0 retweets 0 likes -
Replying to @cramforce
: Amounts to the same thing, right? Though I recall either
@annevk or@bz_moz being concerned about that attribute's leakage.1 reply 0 retweets 0 likes -
That was me, yes. Not happy about allowing pages to detect that someone in particular is framing them.
2 replies 0 retweets 0 likes -
Replying to @really_bz @bz_moz and
very unfortunate for devs: “This thing is secure by default except in FX where you have to set this extra header”
2 replies 0 retweets 0 likes -
Secure by default in what sense? Just exposing ancestorOrigins doesn't make anything secure by default...
2 replies 0 retweets 0 likes -
Replying to @really_bz @bz_moz and
to fix the privacy aspect an API like assertAncestors could have been suggested instead of just not implementing
4 replies 0 retweets 0 likes -
My impression from discussions was that the privacy invasion was the stated _point_ of ancestorOrigins.
2 replies 0 retweets 0 likes -
Replying to @really_bz @bz_moz and
the point of the API is to say: I think my parent is X, but I want to make sure.
2 replies 0 retweets 0 likes
(Note that ones impression of what the API is for may not match its designers' or other users' impression.. :()
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.