[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?
pedzsan at gmail.com
Fri May 21 10:46:35 PDT 2010
On May 19, 2010, at 8:14 PM, Collin Jackson wrote:
> On Wed, May 19, 2010 at 4:57 PM, Adam Barth <w3c at adambarth.com> wrote:
> sites are effective.
This probably is not the right list for this but seems like the X-FRAME-OPTIONS http header could be strengthened by having the UA send all requests from pages that have the X-FRAME-OPTIONS to also containt either the X-FRAME-OPTIONS or another tag. One weakness pointed out in the paper is that proxies can strip the header. If the server doesn't see the header come back, it would know that it got stripped out and the request needs to be questioned. I don't know if there is a way to introduced "fake" http headers into requests or not. If there is, that would need to be addressed too.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg