Should Chrome start supporting the `ALLOW-FROM` value for `X-Frame-Options`?
-
-
Replying to @mikewest
Yes. But only if you can get Firefox to support location.ancestorOrigins as well.
1 reply 0 retweets 0 likes -
Replying to @cramforce
: Amounts to the same thing, right? Though I recall either
@annevk or@bz_moz being concerned about that attribute's leakage.1 reply 0 retweets 0 likes -
That was me, yes. Not happy about allowing pages to detect that someone in particular is framing them.
2 replies 0 retweets 0 likes -
Replying to @really_bz @bz_moz and
very unfortunate for devs: “This thing is secure by default except in FX where you have to set this extra header”
2 replies 0 retweets 0 likes -
Secure by default in what sense? Just exposing ancestorOrigins doesn't make anything secure by default...
2 replies 0 retweets 0 likes -
Replying to @really_bz @bz_moz and
to fix the privacy aspect an API like assertAncestors could have been suggested instead of just not implementing
4 replies 0 retweets 0 likes -
Replying to @cramforce
: `assertAncestors` ~= CSP's `frame-ancestors`, which Firefox ships. Pretty sure they shipped before Chrome.
@bz_moz@annevk2 replies 0 retweets 0 likes -
Replying to @mikewest @cramforce and
wait, what is assertAncestors? Google and MDN both fail me...
2 replies 0 retweets 0 likes
It's an API idea that @cramforce proposed in another branch of this conversation.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.