[jimktrains2]

I wasn't saying HSTS is useless, just pointing out one of the issues with it. I think HSTS a great thing!

With XFO, doing something like adding 'reddit.com/' before the domain to see if it's been submitted becomes much more computationally intensive on reddit's side if they can't just put it in a frame. This is where I run into issues mostly, with tools such as that. That said, there are other things it could do (take me to a submit page or a discussion page instead of framing the page). And frames suck anyway, so there is that.

I can see the usefulness in CSP, I just feel like it's a band-aid on larger problems.

[yeukhon]

X-FRAME-OPTIONS I feel like the number of times this has prevented a useful action vs prevented a bad action is many:0

I am rather curious where did you get this claim? Any stories I should check?

And also what's the larger problem? Again, I'd really love to hear you elaborate on your thoughts.. thanks.

[jimktrains2]

As for XFO, I specifically said that that was my opinion and my experience. I even give a specific example: adding reddit.com/ before the domain of hackernews, for instance, won't let reddit put it in a frame (in order to put the reddit toolbar above it). I've only ever encountered tools such as that breaking because of XFO.

Also, it's my user-agent, it's suppose to do what _I_ want it to do, not what the content author wants it to do, and I can't find a way to disable honoring XFO.

For CSP, one example of a larger problem would be excepting and storing unsanitized input. If it's going out to the user as (otherwise executable) javascript, are there other places that you're placing unescaped user-submitted data that could be an issue (a sql statement perhaps or the API to a site who trusted you to sanitize things (although they shouldn't)?).