Skip to content

Commit a963d16

Browse files
cqueerncqueern
authored
Update spec.bs
removing frame-ancestors 'none' as it's prob fine for other sites to frame SLIM content.
1 parent a9a2c92 commit a963d16

File tree

1 file changed

+1
-10
lines changed

1 file changed

+1
-10
lines changed

spec.bs

Lines changed: 1 addition & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -117,14 +117,6 @@ SLIM documents **MUST NOT** embed other browsing contexts.
117117

118118
**Rationale:** Embedded contexts violate the single-request fetch model (§4.14), create side-channel requests, and expand the attack surface (tracking, clickjacking, mixed policy contexts).
119119

120-
**Operational guidance (non-normative):**
121-
Servers **SHOULD** send a Content Security Policy to prevent third-party framing:
122-
123-
`Content-Security-Policy: frame-ancestors 'none'`
124-
125-
This header blocks other sites from framing SLIM pages, reducing clickjacking risk.
126-
127-
128120

129121
### 4.11 File Size — ADVISORY
130122
No hard maximum size; authors are encouraged to adopt a “less is more” mindset.
@@ -155,7 +147,7 @@ Follow SLIM versioning guidance (e.g., SLIM v1.0) and update the meta tag accord
155147

156148
SLIM authors and operators **SHOULD** consider deploying a Content Security Policy that enforces SLIM restrictions at the browser level. An example of a maximally restrictive CSP is:
157149

158-
`Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; font-src 'none'; img-src 'none'; media-src 'none'; script-src 'none'; object-src 'none'; frame-src 'none'; child-src 'none'; frame-ancestors 'none'; connect-src 'self'`
150+
`Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; font-src 'none'; img-src 'none'; media-src 'none'; script-src 'none'; object-src 'none'; frame-src 'none'; child-src 'none'; connect-src 'self'`
159151

160152
This policy prevents the browser from loading or executing any resource type disallowed by SLIM.
161153

@@ -175,7 +167,6 @@ SLIM enforces several requirements that enhance security and privacy:
175167
**Operational hardening (Recommended):** To avoid extra fetches, operators SHOULD:
176168
- Return **204 No Content** (or **410 Gone**) from `/favicon.ico`.
177169
- Ensure canonical SLIM URLs resolve directly with **200 OK** (no redirects).
178-
- Send `Content-Security-Policy: frame-ancestors 'none'` to prevent third-party framing.
179170

180171

181172
## 7. Change History

0 commit comments

Comments
 (0)