Skip to content

Editorial: Tone down X-Frame-Options obsoletion message #10938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 23, 2025
Merged

Editorial: Tone down X-Frame-Options obsoletion message #10938

merged 3 commits into from
Jan 23, 2025

Conversation

tunetheweb
Copy link
Contributor

@tunetheweb tunetheweb commented Jan 21, 2025
edited by pr-preview bot
Loading

Fixes #10936

As per #10936 (comment) this was likely added through a misunderstanding of the CSP spec wording.

  • At least two implementers are interested (and none opposed):
    • There are non plans to remove X-Frame-Options from any browsers (at least no public positions on this that I'm aware of) and doing so would likely be a downgrade in security for no real benefit.
  • Tests are written and can be reviewed and commented upon at:
    • N/A
  • Implementation bugs are filed:
    • Chromium: N/A
    • Gecko: N/A
    • WebKit: N/A
    • Deno (only for timers, structured clone, base64 utils, channel messaging, module resolution, web workers, and web storage): …
    • Node.js (only for timers, structured clone, base64 utils, channel messaging, and module resolution): …
  • Corresponding HTML AAM & ARIA in HTML issues & PRs: N/A
  • MDN issue is filed: Undeprecate X-Frame-Options mdn/browser-compat-data#25663
  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

/document-lifecycle.html ( diff )

@tunetheweb tunetheweb changed the title Editorial: Tone down X-Frame-Options obseletion message Editorial: Tone down X-Frame-Options obsoletion message Jan 21, 2025
domenic
domenic approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@domenic domenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with this change, although I guess the discussion is still ongoing so I'll tag "do not merge yet" until we have everyone on the same page.

@domenic domenic added clarification Standard could be clearer do not merge yet Pull request must not be merged per rationale in comment labels Jan 22, 2025
annevk
annevk reviewed Jan 22, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems reasonable, but I think we should change CSP at the same time to also use less confusing wording.

@tunetheweb
Copy link
Contributor Author

tunetheweb commented Jan 22, 2025
edited
Loading

This seems reasonable, but I think we should change CSP at the same time to also use less confusing wording.

Do you mean the CSP spec? I already raised w3c/webappsec-csp#702 to do just that.

@annevk annevk removed the do not merge yet Pull request must not be merged per rationale in comment label Jan 23, 2025
@annevk annevk merged commit 650bb53 into whatwg:main Jan 23, 2025
2 checks passed
@annevk
Copy link
Member

annevk commented Jan 23, 2025

Thanks!

@caugner caugner mentioned this pull request Jan 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@annevk annevk annevk left review comments

@domenic domenic domenic approved these changes

Assignees

No one assigned

Labels

clarification Standard could be clearer

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Wording of X-Frame-Options as legacy and "obseleted"

3 participants

@tunetheweb @annevk @domenic