Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Consider calling out XFO and frame-ancestors in addition to frame-src. #27

Open
mikewest opened this issue Apr 1, 2020 · 0 comments
Open

Consider calling out XFO and frame-ancestors in addition to frame-src. #27

mikewest opened this issue Apr 1, 2020 · 0 comments

Comments

@mikewest
Copy link

mikewest commented Apr 1, 2020

https://immersive-web.github.io/dom-overlays/#security reasonably calls out frame-src as applying to overlay content. It would be reasonable to note that the content itself might reasonably opt-out of such embedding via x-frame-options and/or frame-ancestor. It's likely the case that this is implicitly covered, but it's worth making it explicit that the overlay doesn't create a new top-level browsing context.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mikewest