"Steingruebl, Andy" <> Thu, 09 September 2010 16:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3B2E3A68B3 for <>; Thu, 9 Sep 2010 09:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.079
X-Spam-Status: No, score=-4.079 tagged_above=-999 required=5 tests=[AWL=-1.038, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_MED=-4, SUBJ_ALL_CAPS=2.077]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dXcva1WKtxWp for <>; Thu, 9 Sep 2010 09:32:37 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D459F3A67FF for <>; Thu, 9 Sep 2010 09:32:36 -0700 (PDT)
DomainKey-Signature: s=ppinc;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:Date: Subject:Thread-Topic:Thread-Index:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: Content-Type:Content-Transfer-Encoding:MIME-Version: X-CFilter; b=ibOMT5xJP34I4QblBV3spD5NV4b+HmVpZrmzdl+3uKiBjbIgrymvhCLV Et0bBYVLFiOrlqotfkEKeKB0SZS7MuLpztvrXXoMq3O/DvE9XuN66p4hV RR4MYDVGm2J7Sfd;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=ppinc; t=1284049985; x=1315585985; h=from:to:date:subject:message-id:references:in-reply-to: content-transfer-encoding:mime-version; z=From:=20"Steingruebl,=20Andy"=20<asteingruebl@paypal-inc .com>|To:=20Julian=20Reschke=20<>, =20IETF=20HASMAT=20list=20<>|Date:=20Thu, =209=20Sep=202010=2010:32:56=20-0600|Subject:=20RE:=20[HA SMAT]=20X-FRAME-OPTIONS|Message-ID:=20<5EE049BA3C6538409B> |References:=20<>|In-Reply-To:=20<>|Content-Transfer-Encoding:=20quo ted-printable|MIME-Version:=201.0; bh=qx+MCO7O0uwRMumVRXEtDMQeOx645vGoIryeEqgf8hM=; b=X3T159b7MJZfwcEd3AEg2EOXj36RzrJogGG6Cb3jz25jbwv2/VCf8D2W t6PotiToADPFKJZrDNVQSAzI/1La/Y/jErRh8p7LwPLak0l1+2xpjq+wy gv43lak++1qD+Xc;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.56,340,1280732400"; d="scan'208";a="72112060"
Received: from (HELO ([]) by with ESMTP; 09 Sep 2010 09:32:59 -0700
Received: from ([]) by ([]) with mapi; Thu, 9 Sep 2010 10:32:57 -0600
From: "Steingruebl, Andy" <>
To: Julian Reschke <>, IETF HASMAT list <>
Date: Thu, 9 Sep 2010 10:32:56 -0600
Thread-Index: ActQBFGS43NOoZO9RHmeDyQ84k2hxwAN33aQ
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Sep 2010 16:32:39 -0000

> -----Original Message-----
> From: [] On
> Behalf Of Julian Reschke
> <
> clickjacking-defenses.aspx>
> and <>.
> Is this something the WG should consider as well?

I definitely agree that there ought to be a spec for this.  What I'm a bit torn about though is where its home should be.  

Because X-Frame-Options deals exclusively with HTML processing agents and how they want to visually represent content, I think this may more properly belong to the nascent W3C Web Application Security Working Group -

My hope is that we can come up with some sort of logical grouping Or, dare I say it taxonomy, of security controls/indicators and group them into things that are core protocol related, and those that are content/display/interpretation related.  The first group could be done in the IETF, the second in the W3C.  My thinking isn't especially well-formed on this as I don't have that grouping/taxonomy laid out.

Admittedly HSTS mostly only applies to web browsers as well since they are the main target, and yet we're working on that here.  At the same time CORS and CSP are both presumably going to be done/continue at the W3C, and X-Frame-Options seems closer to them than it does to HSTS.

Perhaps a good exercise would be for us to enumerate a bunch f the policy mechanisms we've been envisioning, and then group them according to type, home, etc.  I don't know that we need a full taxonomy of them,  but I'm open to being persuaded.

- Andy