[whatwg] some thoughts on sandboxed IFRAMEs

Adam Barth whatwg at adambarth.com
Mon Jan 25 11:57:46 PST 2010


On Mon, Jan 25, 2010 at 7:51 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> 1) Some other security mechanisms (CORS, anti-clickjacking controls,
> XSS filter controls) rely on separate HTTP headers instead. Is there a
> compelling reason not to follow that lead - or better yet, to unify
> all security headers to conserve space?

The reason to use a MIME type here is to trick legacy browsers into
not rendering the response as HTML.

Adam


More information about the whatwg mailing list