Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 14 August 2013 17:41 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33FFD21E80C7 for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 10:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.361
X-Spam-Level:
X-Spam-Status: No, score=-95.361 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hl5AmIktHOXN for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 10:41:29 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 6186111E8180 for <websec@ietf.org>; Wed, 14 Aug 2013 10:41:29 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=iDW0ddDidLy6tmWk8PEJkfI851P3g9O7VwXxQzZNDujh//GNRdMzaNMpFxQ98pbt7O3AyP5z5vQxaeKMd0rlQUjsg2XLywOuxm4xYBZ+1fUuysQP+5fSnfZRTomdRb50; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
Received: (qmail 17682 invoked from network); 14 Aug 2013 19:41:28 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 14 Aug 2013 19:41:28 +0200
Message-ID: <520BC148.4010505@gondrom.org>
Date: Wed, 14 Aug 2013 18:41:28 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: ted.lemon@nominum.com
References: <20130814161444.6218.82572.idtracker@ietfa.amsl.com> <296E0D02-A1FB-4050-9DF6-06C60199AB32@checkpoint.com> <59CD902A-8992-452D-A9F1-C019016F6025@nominum.com>
In-Reply-To: <59CD902A-8992-452D-A9F1-C019016F6025@nominum.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/alternative; boundary="------------030201020408050803050204"
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org, iesg@ietf.org, turners@ieca.com, websec-chairs@tools.ietf.org
Subject: Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 17:41:34 -0000
On 14/08/13 18:33, Ted Lemon wrote: > On Aug 14, 2013, at 12:55 PM, Yoav Nir <ynir@checkpoint.com> wrote: >> The charter mandate was to just document. I think advise to web masters might be in scope, but advise for browser makers (for example, how to harmonize the implementations) is not. > The document seems to currently contain quite a bit of advice for browser makers, and certainly for plugin makers. If the above statement is really true, that advice seems like it's out of scope. If the above statement is not true, then the advice ought to be complete. > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec Ted, it is a balancing act: the depth of advise is proportionate to the correlation of the different implementations. So e.g. where implementations are in sync, the advise is more detailed. We could add a section on the how to handle nested frames, but as we have two diverging major browser implementations in this point, that didn't feel very productive, especially as we have the hope that CSP1.1 will replace X-Frame-Options in the future. Best regards, Tobias
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Barry Leiba
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- [websec] Sean Turner's Discuss on draft-ietf-webs… Sean Turner
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Hill, Brad
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Sean Turner