[secdir] secdir review of draft-ietf-websec-x-frame-options-07

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Sun, 11 August 2013 18:50 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DDA11E811F; Sun, 11 Aug 2013 11:50:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.524
X-Spam-Level:
X-Spam-Status: No, score=-110.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oG0v3PuRcYA0; Sun, 11 Aug 2013 11:50:37 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 5BD5F21F9C7E; Sun, 11 Aug 2013 11:44:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2640; q=dns/txt; s=iport; t=1376246678; x=1377456278; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=TTAGvXpct+YuAribT7grolLHljbC8PL6kraKlXjw9l0=; b=D1Xgz9q76zlnevDYv8jwTkRJEpHDT2UnCSwAKsgVpOW2lBegbuGM18aS frYS5Rfqk8Iw2SfuTJmPMOPIQTLH1BbS6v5EfzU2xfmggEu+eXK5Roz55 zcpvqPPZqsHEWo5WNdp6skK68TQuwlcvB5wiutSDRcdVaEqzQQ6IIWgDJ 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgwFAMzaB1KtJXHB/2dsb2JhbABagwY1UL5hgRkWdIImAQQ6UQEqFEInBAEaiAi1OJAKg1N2A6k1gxuCKg
X-IronPort-AV: E=Sophos;i="4.89,857,1367971200"; d="scan'208";a="243017323"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-9.cisco.com with ESMTP; 11 Aug 2013 18:44:37 +0000
Received: from xhc-aln-x05.cisco.com (xhc-aln-x05.cisco.com [173.36.12.79]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r7BIibFp005501 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 11 Aug 2013 18:44:37 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.235]) by xhc-aln-x05.cisco.com ([173.36.12.79]) with mapi id 14.02.0318.004; Sun, 11 Aug 2013 13:44:37 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-websec-x-frame-options.all@tools.ietf.org" <draft-ietf-websec-x-frame-options.all@tools.ietf.org>
Thread-Topic: secdir review of draft-ietf-websec-x-frame-options-07
Thread-Index: AQHOlsLTCIsxukwZF0auP9vgLBoZDw==
Date: Sun, 11 Aug 2013 18:44:36 +0000
Message-ID: <A95B4818FD85874D8F16607F1AC7C628DB98BB@xmb-rcd-x09.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.54]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AABA484827E302488D92BDEDE935EA70@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] secdir review of draft-ietf-websec-x-frame-options-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 18:50:42 -0000

Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document is ready with issues.  

The document is generally well written and covers an important topic. It describes existing options that can be included in an HTTP header to to prevent the HTTP content from being embedded in the frame of another page.   The document describes the existing options and therefore meets its main goal.     The main issue I see with the document is in the lack of guidance on  when to use the options.   

Issues:

1.  Section 2.1: It seems that  RFC6454 should be first referenced in the SAMEORIGIN section.   Also, shouldn't the note about port not considered as a defining component of origin apply to SAMEORIGIN as well?

2.  Section 2.3.1: I'm not sure what section 2.3.1 is trying to say.    Is it saying that the X-FRAME-OPTIONS should apply to all of these embedding mechanisms?   If this is the case then I think this section should explicitly say so.  

3.  Section 5:   

- The security considerations states that the X-FRAME-OPTIONS "it is not self-sufficient on its own, but must be used in conjunction with other security measures like secure coding and the Content Security Policy."  This statement leads me to believe that more guidance is necessary.  For example, does the reference to "secure coding" a general statement, or are there specific coding considerations that are specific to clickjacking protection?   If its general then it doesn't really add anything so I think it would be better to be more specific.   The same comment applies to CSP.   

- Should pages also employ framebusting since the header options are not uniformly implemented?

- Perhaps the second paragraph should explicitly say that because of this developers must be aware that embedding content from other sites may leave them vulnerable to clickjacking if the SAMEORIGIN directive is used. 

- What pages should include this header option?   More guidance here would be good.  Right now its necessarily clear which pages should include this header especially given the uncertainty with SAMEORIGIN described in the second paragraph.  Should all pages on a site deny being framed unless their content needs to be embedded in another site?