Re: [websec] Spencer Dawkins' No Objection on draft-ietf-websec-x-frame-options-08: (with COMMENT)
Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 13 August 2013 16:47 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34EC011E8191 for <websec@ietfa.amsl.com>; Tue, 13 Aug 2013 09:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kGjU5ihuJG40 for <websec@ietfa.amsl.com>; Tue, 13 Aug 2013 09:47:44 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 39A8911E8189 for <websec@ietf.org>; Tue, 13 Aug 2013 09:47:34 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=nMriRTYEe1Ho++a2AKw93CsC13tAsJPzSWBzZtu9J3gaw3aggRXAN/pbHO7NeguGSjH+h0H5gvrmSfRaC4aRS13+fhGtcHKwma02SFDwULo+YQmhgr7T45+DMVwtCsOR; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 5150 invoked from network); 13 Aug 2013 18:47:32 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 13 Aug 2013 18:47:32 +0200
Message-ID: <520A6324.4050104@gondrom.org>
Date: Tue, 13 Aug 2013 17:47:32 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: spencerdawkins.ietf@gmail.com
References: <20130813011010.13384.75933.idtracker@ietfa.amsl.com>
In-Reply-To: <20130813011010.13384.75933.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org, iesg@ietf.org, websec-chairs@tools.ietf.org
Subject: Re: [websec] Spencer Dawkins' No Objection on draft-ietf-websec-x-frame-options-08: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 16:47:49 -0000
Dear Spencer, thanks a lot for the review and feedback. I included your feedback comments in version-09. Thanks for the review and all the best, Tobias On 13/08/13 02:10, Spencer Dawkins wrote: > Spencer Dawkins has entered the following ballot position for > draft-ietf-websec-x-frame-options-08: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-websec-x-frame-options/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I really like this specification, and I appreciate the working group > producing it. Documenting "in the wild" behavior is a good thing. > > I have one fairly fundamental comment, which I think can be easily > addressed, and a few nits. > > My comment: This specification starts out like a normal header field > specification until you get to > > 1. Introduction > > This specification provides informational documentation about the > current use and definition of the X-Frame-Options HTTP header field. > Given that the "X-" construction is deprecated [RFC6648], the X > -Frame-Options header field will in the future be replaced by the > Frame-Options directive in the Content Security Policy Version 1.1 > [CSP-1-1]. > > That's still KIND of OK (no indication that anything is wrong with > X-FRAME-OPTIONS functionality, just a heads-up that implementations that > include X-FRAME-OPTIONS will have work to do in the future), but when we > get to > > 2.3.2.2. Variation in current browser behaviour > > There are currently variations in the implementation of the X-FRAME- > OPTIONS header. > > we discover unambiguously that current implmentations don't all work the > same way, so your ability to rely on X-FRAME-OPTIONS is not entirely > clear. > > I wonder if the set of technical details are asperational, saying "this > is what X-FRAME-OPTIONS could have been, and what the next header field > in this space should be". > > I think it's fine to publish this specification, especially as > Informational, even if it's not clear to me that *any* of the > functionality described in this specification is implemented the same way > in all major browsers. > > I would be more comfortable with a clear statement in the Introduction > that the biggest problem with X-FRAME-OPTIONS is *not* the leading "X-", > but that today's implementations don't all provide the same options with > the same behaviors, so relying on this specification as a predictor of > what will happen to your frames is not a good idea. > > One sentence that puts the reader on notice would be sufficient. Done. > My nits, just so editors don't have to find them again: > > Is there a reason why sometimes X-FRAME-OPTIONS is in all caps, and other > times not? I'm not an APP guy, so I'm asking. Only reason is that my eyes got tired of so many all caps in the flow text, while in some place, I felt it would be easier to read when in all caps. Both are possible. > > In Section 2.3.2.2. Variation in current browser behaviour > > These variations in the evaluation of the header by different > implementations impair the useage and reliability of this http > header. A revised version of x-frame-options in the form of a frame- > options directive in the CSP 1.1[CSP-1-1] will unify the behaviour > and it is expected that newer implementations will use it rather than > the mechanisms documented here" > > The trailing quote mark should be a period, I suppose? Yes. Corrected. > > 5.1. Privacy Considreations should be "Considerations". Thanks. Corrected. > > In B.2. Online Shop Confirm Purchase Page > > The "Confirm Purchase"" > > The doubled trailing quote marks should be one quote mark, perhaps? Yes. Thanks. Corrected. >
- [websec] Spencer Dawkins' No Objection on draft-i… Spencer Dawkins
- Re: [websec] Spencer Dawkins' No Objection on dra… Tobias Gondrom