Re: [HASMAT] X-FRAME-OPTIONS

Adam Barth <ietf@adambarth.com> Thu, 09 September 2010 16:47 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B150D3A68FA for <hasmat@core3.amsl.com>; Thu, 9 Sep 2010 09:47:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.052
X-Spam-Level:
X-Spam-Status: No, score=-2.052 tagged_above=-999 required=5 tests=[AWL=-0.075, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BbsdkHnK8nAz for <hasmat@core3.amsl.com>; Thu, 9 Sep 2010 09:47:38 -0700 (PDT)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com [209.85.215.44]) by core3.amsl.com (Postfix) with ESMTP id 66B323A6970 for <hasmat@ietf.org>; Thu, 9 Sep 2010 09:47:38 -0700 (PDT)
Received: by ewy26 with SMTP id 26so438934ewy.31 for <hasmat@ietf.org>; Thu, 09 Sep 2010 09:48:05 -0700 (PDT)
Received: by 10.213.20.13 with SMTP id d13mr108412ebb.83.1284050884406; Thu, 09 Sep 2010 09:48:04 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id v59sm2287980eeh.4.2010.09.09.09.48.03 (version=SSLv3 cipher=RC4-MD5); Thu, 09 Sep 2010 09:48:04 -0700 (PDT)
Received: by iwn3 with SMTP id 3so1475425iwn.31 for <hasmat@ietf.org>; Thu, 09 Sep 2010 09:48:02 -0700 (PDT)
Received: by 10.231.154.75 with SMTP id n11mr11914094ibw.40.1284050383210; Thu, 09 Sep 2010 09:39:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.143.1 with HTTP; Thu, 9 Sep 2010 09:39:12 -0700 (PDT)
In-Reply-To: <5EE049BA3C6538409BBE6F1760F328ABEAF852CA70@DEN-MEXMS-001.corp.ebay.com>
References: <4C88AD91.4090301@gmx.de> <5EE049BA3C6538409BBE6F1760F328ABEAF852CA70@DEN-MEXMS-001.corp.ebay.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 9 Sep 2010 09:39:12 -0700
Message-ID: <AANLkTinF4=O4TRr_FS8QK+c5mDWdAAo5t=hJ4MAmXUoH@mail.gmail.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] X-FRAME-OPTIONS
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2010 16:47:39 -0000

On Thu, Sep 9, 2010 at 9:32 AM, Steingruebl, Andy
<asteingruebl@paypal-inc.com> wrote:
>> -----Original Message-----
>> From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On
>> Behalf Of Julian Reschke
>>
>> <http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-
>> clickjacking-defenses.aspx>
>> and <http://www.mozilla.com/en-US/firefox/3.6.9/releasenotes/>.
>>
>> Is this something the WG should consider as well?
>
> I definitely agree that there ought to be a spec for this.  What I'm a bit torn about though is where its home should be.
>
> Because X-Frame-Options deals exclusively with HTML processing agents and how they want to visually represent content, I think this may more properly belong to the nascent W3C Web Application Security Working Group - http://www.w3.org/2010/07/appsecwg-charter.html
>
> My hope is that we can come up with some sort of logical grouping Or, dare I say it taxonomy, of security controls/indicators and group them into things that are core protocol related, and those that are content/display/interpretation related.  The first group could be done in the IETF, the second in the W3C.  My thinking isn't especially well-formed on this as I don't have that grouping/taxonomy laid out.
>
> Admittedly HSTS mostly only applies to web browsers as well since they are the main target, and yet we're working on that here.  At the same time CORS and CSP are both presumably going to be done/continue at the W3C, and X-Frame-Options seems closer to them than it does to HSTS.
>
> Perhaps a good exercise would be for us to enumerate a bunch f the policy mechanisms we've been envisioning, and then group them according to type, home, etc.  I don't know that we need a full taxonomy of them,  but I'm open to being persuaded.

Yeah, X-Frame-Options seems like a special case of CSP.

Adam