Re: [secdir] secdir review of draft-ietf-websec-x-frame-options-07

Tobias Gondrom <> Sun, 11 August 2013 20:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BAADE21E8083 for <>; Sun, 11 Aug 2013 13:53:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -96.505
X-Spam-Status: No, score=-96.505 tagged_above=-999 required=5 tests=[AWL=0.857, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, GB_I_LETTER=-2, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5jjbEpjhOIsS for <>; Sun, 11 Aug 2013 13:53:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BA28F21F9EEE for <>; Sun, 11 Aug 2013 13:47:20 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=OdTR/zSySr+xo77LGhVADyOSSAX230/h5KQP5cAYBxT8mB916Tqnyi5FWf+0oTma7GTBpOJfHBhwAgOG0mrHemGuUsWzYoDhFy2ctqm1KJe8hWlN99M2H/+EypYU2B7G; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 11733 invoked from network); 11 Aug 2013 22:47:16 +0200
Received: from (HELO ? ( by with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 11 Aug 2013 22:47:16 +0200
Message-ID: <>
Date: Sun, 11 Aug 2013 21:47:16 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] secdir review of draft-ietf-websec-x-frame-options-07
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Aug 2013 20:53:18 -0000

Dear Joseph,

thank you very much for the review.
I revised the document to version-08 (also including feedback from other
reviews) accordingly including most of your feedback.
Answers inline.
Best regards, Tobias

On 11/08/13 19:44, Joseph Salowey (jsalowey) wrote:
> Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> This document is ready with issues.  
> The document is generally well written and covers an important topic. It describes existing options that can be included in an HTTP header to to prevent the HTTP content from being embedded in the frame of another page.   The document describes the existing options and therefore meets its main goal.     The main issue I see with the document is in the lack of guidance on  when to use the options.   
> Issues:
> 1.  Section 2.1: It seems that  RFC6454 should be first referenced in the SAMEORIGIN section.   Also, shouldn't the note about port not considered as a defining component of origin apply to SAMEORIGIN as well?

Hm. I am afraid that would be counterproductive.
Although the name of the directive ("SAMEORIGIN") may suggest that this
refers directly to RFC6454, it does not. As you can see from the next
paragraph after the list, most current implementations do not follow
RFC6454 to the letter as they do not consider the port as a defining
component of the origin.
That is the reason why we felt that it would be better to have the
reference in the section below together with this explanation.

> 2.  Section 2.3.1: I'm not sure what section 2.3.1 is trying to say.    Is it saying that the X-FRAME-OPTIONS should apply to all of these embedding mechanisms?   If this is the case then I think this section should explicitly say so.  
Ok. Done. Added a sentence that "browser implementations cover all of

> 3.  Section 5:   
> - The security considerations states that the X-FRAME-OPTIONS "it is not self-sufficient on its own, but must be used in conjunction with other security measures like secure coding and the Content Security Policy."  This statement leads me to believe that more guidance is necessary.  For example, does the reference to "secure coding" a general statement, or are there specific coding considerations that are specific to clickjacking protection?   If its general then it doesn't really add anything so I think it would be better to be more specific.   The same comment applies to CSP.   
Thanks. I can see your point and adjusted the text a bit accordingly.
I understand that the terms are generic, on the other hand we want to
avoid that people feel unnecessarily safe and think everything is fine,
just because they are using this one header. E.g. if a page is
vulnerable to XSS, you may be able to escape your frame otherwise.

> - Should pages also employ framebusting since the header options are not uniformly implemented?
No. We intentionally did not refer to framebusting as in addition to XFO
in the security section, because:
1. today all major browsers support a minimum of x-frame-options,
although with variations. So even with their variations, framebusting
would not add much more capabilities. (note: in special use cases
framebusting could still make sense, but describing these would not be
adding value to the ID about XFO.)
2. framebusting has unfortunately been proven as not reliable against
sophisticated attackers. (see reference in the ID).

> - Perhaps the second paragraph should explicitly say that because of this developers must be aware that embedding content from other sites may leave them vulnerable to clickjacking if the SAMEORIGIN directive is used. 

Yes. Added text.

> - What pages should include this header option?   More guidance here would be good.  Right now its necessarily clear which pages should include this header especially given the uncertainty with SAMEORIGIN described in the second paragraph.  Should all pages on a site deny being framed unless their content needs to be embedded in another site? 

Hm. I felt uncomfortable speaking in too much detail about which web
pages should use X-FRAME-OPTIONS and which may not need to, as there is
a huge variety of web applications.

In general, you should obviously use it for anything that is vulnerable
against clickjacking as given by the abstract and introduction (i.e.
anything with buttons or links that you can click on with anything
happening as a result of that click). Overall I would prefer to not go
deeper into this in the draft, as IMHO the driving factor where to
deploy XFO should be driven by the context of the web application and
its risks.
It could be useful and simplify things to just deploy it everywhere,
even though some pages may not be at risk by clickjacking. But I don't
see a lot of benefit in adding more text about this.