Re: [websec] Coordinating Frame-Options and CSP UI Safety directives

Tobias Gondrom <> Sun, 02 September 2012 11:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B744621F8A40 for <>; Sun, 2 Sep 2012 04:40:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -93.873
X-Spam-Status: No, score=-93.873 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id trNfoizU4nme for <>; Sun, 2 Sep 2012 04:40:37 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2E82221F8A3F for <>; Sun, 2 Sep 2012 04:40:36 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=i9eDb9RRS0/79DUjulPUVunmfjHc58coE+WuUzGTUWDOq6LwFYT/XEjBzgziH2oTBde+MGL3KCyDUNWN2qADeX3uaachAvSIu069DhGxMcpX0awBzlVEDDrE1QugiXUk; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 25958 invoked from network); 2 Sep 2012 13:40:33 +0200
Received: from (HELO ? ( by with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 2 Sep 2012 13:40:32 +0200
Message-ID: <>
Date: Sun, 02 Sep 2012 19:40:28 +0800
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 02 Sep 2012 11:40:37 -0000

Hello all,

thank you for your feedback and input.


NIH (not invented here) should definitely never be reason for a decision 
- in either way.
And I would also be open to assist the WebAppSec WG in writing this tiny 
bit into CSP.

I have two main reasons why I think we should keep FO separate to CSP 
and would like to hear your thoughts about it before we should make a 
decision. (Please note that in the case of this topic I will obviously 
not be acting as WG chair.)

1. Model and Semantic Reason:
Until now, I always understood the CSP model to be about "describe the 
security policy for a loaded resource and say which parts of that 
content you can execute and which references in that content you shall 
follow and execute".
While the XFO/FO model is the reverse: describing for a resource, 
defining by whom your resource may be framed/loaded from. In my view 
that was not a natural part of the CSP model. And in my understanding 
that semantic difference was also one of the reasons why it was not done 
in CSP1.0 in the first place, but at the time agreed to be done in 
websec separately.

Or as someone else from W3C WebAppSec wrote it more clearly to me about 
a year ago:
"... removing frame-ancestors from CSP altogether if a better, 
standardized Frame-Options is available to sites. In fact, it simplifies 
the model in some ways since frame-ancestors is currently the only 
directive that restricts content from the embedded site's perspective."

2. Technical Implementation:
The current FO spec allows only one "Allow-From" URI. Which means that 
for complex framing relationships, the FO header needs to be 
written/sent on the fly on a per request basis.
My question is, what happens to only one "ALLOW-FROM" if we integrate it 
into CSP?
Can we generate individual CSPs on the fly as well (including if a CSP 
header references a file), or would this then implicitely mean we have 
to allow a list of "ALLOW-FROM"?

(please note, that the initial version did allow a list for 
"Allow-From", but there were serious concerns for performance in 
implementation for large lists and privacy matters. The change to only 
one "Allow-From" is not "written in stone", still I would like to 
understand if we limit ourselves back to the "Allow-From list" 
implicitly by putting it into CSP? I had a couple of private 
conversations on this problem in the last months, but they could not 
definitively answer to that question...)

Best regards, Tobias