Should Chrome start supporting the `ALLOW-FROM` value for `X-Frame-Options`?
-
-
Replying to @mikewest
Yes. But only if you can get Firefox to support location.ancestorOrigins as well.
1 reply 0 retweets 0 likes -
Replying to @cramforce
: Amounts to the same thing, right? Though I recall either
@annevk or@bz_moz being concerned about that attribute's leakage.1 reply 0 retweets 0 likes -
That was me, yes. Not happy about allowing pages to detect that someone in particular is framing them.
2 replies 0 retweets 0 likes -
Replying to @really_bz @bz_moz and
very unfortunate for devs: “This thing is secure by default except in FX where you have to set this extra header”
2 replies 0 retweets 0 likes -
Secure by default in what sense? Just exposing ancestorOrigins doesn't make anything secure by default...
2 replies 0 retweets 0 likes -
Replying to @really_bz @bz_moz and
to fix the privacy aspect an API like assertAncestors could have been suggested instead of just not implementing
4 replies 0 retweets 0 likes -
My impression from discussions was that the privacy invasion was the stated _point_ of ancestorOrigins.
2 replies 0 retweets 0 likes -
Replying to @really_bz
:
@cramforce wants to control the way pages are embedded. You'd preventing pages from learning about their cross-origin ancestors.1 reply 0 retweets 0 likes -
Replying to @mikewest
: Both goals seem reasonable. If there's a better shape for the API that fits the problem better, I'm all ears. :)
@cramforce1 reply 0 retweets 0 likes
I'm all ears too, with the caveat that I have very limited time to spend on this...
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.