Re: [websec] X-Frame-Options EBNF bug at Mozilla

Tobias Gondrom <tgondrom@gmx.net> Tue, 26 February 2013 16:28 UTC

Return-Path: <tgondrom@gmx.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D5521F8758 for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:28:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFMlD3COXrKp for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:28:21 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 5765221F8635 for <websec@ietf.org>; Tue, 26 Feb 2013 08:28:20 -0800 (PST)
Received: from mailout-de.gmx.net ([10.1.76.1]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0MKffd-1UA6XU1htH-001wE8 for <websec@ietf.org>; Tue, 26 Feb 2013 17:28:19 +0100
Received: (qmail invoked by alias); 26 Feb 2013 16:28:18 -0000
Received: from d1-162-57-143-118-on-nets.com (EHLO [10.8.18.138]) [118.143.57.162] by mail.gmx.net (mp001) with SMTP; 26 Feb 2013 17:28:18 +0100
X-Authenticated: #1793214
X-Provags-ID: V01U2FsdGVkX19Je2gHaVxJqzmM8aFJTedtTsncPLpiBcs2/49dtc kxdww8vHZyvd5D
Message-ID: <512CE299.8090703@gmx.net>
Date: Wed, 27 Feb 2013 00:28:09 +0800
From: Tobias Gondrom <tgondrom@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: julian.reschke@gmx.de
References: <370C9BEB4DD6154FA963E2F79ADC6F2E279156B0@DEN-EXDDA-S12.corp.ebay.com> <512C8D7B.4000307@gondrom.org> <512CDD75.9030308@gmx.de>
In-Reply-To: <512CDD75.9030308@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: websec@ietf.org
Subject: Re: [websec] X-Frame-Options EBNF bug at Mozilla
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 16:28:24 -0000

On 27/02/13 00:06, Julian Reschke wrote:
> On 2013-02-26 11:24, Tobias Gondrom wrote:
>> Thanks a lot for bringing this to WG attention.
>> It seems that I misread that point when I first wrote the draft.
>> Actually the same is true for IE.
>> I corrected the ABNF in the new version to reflect IE and Mozilla
>> behavior.
>> Best regards and thanks a lot for catching this!
>> Tobias
>> ...
>
>
> See <https://bugzilla.mozilla.org/show_bug.cgi?id=836132#c19>:
>
>>  Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST
>>
>> From
>> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2
>> :
>>
>> "The values are specified as ABNF strings, and therefore are
>> case-insensitive"
>>
>> and the relevant methods in the code use
>> "[header-value].LowerCaseEqualsLiteral(...)" so they match
>> case-insensitively.
>>
>> One note, I think the spec is incorrect in stating that FF/Chrome
>> support colons in 2.2.2, Chrome has no support at all for Allow-From
>> (just my pending patch which has the same behavior as the one that
>> led to this bug), and obviously colons are not supported here either
>> (and the intent seems to be to not permit them).
>
> So I believe
> <http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2.2>
> needs to be fixed; in the best case by just removing it.

I would be fine with removing this.

Just for the record:
>From another reviewer/security researcher, I received on Jan-9 the
following feedback:
"IE8+ :

  X-Frame-Options: ALLOW-FROM http://example.com/

IETF-draft :

  X-Frame-Options: ALLOW-FROM: http://example.com/

IE needs no colon between "ALLOW-FROM" and uri.Firefox and Chrome accept
both."

Which indicated that Firefox and Chrome would support both, which is why
I kept it in.
But in reflection, it probably does not add value to talk about all
other possible syntax form that could be supported in some browsers due
to tolerance.

So I would agree with you to remove 2.2.2.
(And if until Sunday I don't hear any objections, I will do so.)

Best regards and thanks for the feedback, Tobias


>
> Best regards, Julian
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>