Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Barry Leiba <barryleiba@computer.org> Mon, 19 August 2013 17:43 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 199EC11E82B1; Mon, 19 Aug 2013 10:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.949
X-Spam-Level:
X-Spam-Status: No, score=-101.949 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rMw3rY96n7kA; Mon, 19 Aug 2013 10:43:34 -0700 (PDT)
Received: from mail-qe0-x234.google.com (mail-qe0-x234.google.com [IPv6:2607:f8b0:400d:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF1B11E82AF; Mon, 19 Aug 2013 10:43:33 -0700 (PDT)
Received: by mail-qe0-f52.google.com with SMTP id a11so1902046qen.11 for <multiple recipients>; Mon, 19 Aug 2013 10:43:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=IbzP1Ny/4cL1iaiTF4hO4aX2sthSSiVPpD8QZziIzQk=; b=ACn8Sy6wAYVSNd2JHGYhpMftbR29p/ckAKGWaVzefKARo3fY6iSMT2zF8ygMMJwStQ hNJVB2W8Q9T8fSk7XcodWJ729HmAtHUf3qDHG5gYxE6CDTWU832Ha1BlGX6qZ6UncQLY N5cUnmrSiHzjkNbF9AR3YAaGe4j8WXwBNrWBbZ/9TUKf0xiTRLitJgIDzVHdEt3Wlz4u bbdJnA0Jb7aA7camrtwZNDuxTCnGiOpUA0zHsgj0H6/NJiDu0bZwaem+GkRoj8lyszVk sP/x0xFvGGWHa9riYn9QbxYIm4sBS9+IXI/0SQI0SzX3N8BoRxXLcJ6R3DLzQOZe25UM 7nag==
MIME-Version: 1.0
X-Received: by 10.224.74.4 with SMTP id s4mr16868894qaj.51.1376934209339; Mon, 19 Aug 2013 10:43:29 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.224.59.211 with HTTP; Mon, 19 Aug 2013 10:43:29 -0700 (PDT)
In-Reply-To: <CAL02cgRjSEhA7WKLnue1fELFeh4aN4ZT_J6GVCW-iGXnWXvAFQ@mail.gmail.com>
References: <20130815014121.17800.33179.idtracker@ietfa.amsl.com> <520FFD18.2010008@gondrom.org> <CALaySJJLJyHL8ZiWcgqO8n-MdHrkdJ3XRni7Axb4NSLkh2_v6A@mail.gmail.com> <CAL02cgT=8GOWo2ROLpvRaKuW=_Wb=qPEE=wwHPsqSWfkvk4NRw@mail.gmail.com> <52122EAD.8010503@gondrom.org> <CAL02cgRjSEhA7WKLnue1fELFeh4aN4ZT_J6GVCW-iGXnWXvAFQ@mail.gmail.com>
Date: Mon, 19 Aug 2013 13:43:29 -0400
X-Google-Sender-Auth: 5cETe_QUf5MHI_2e7k6DGGwdNX0
Message-ID: <CALaySJKZh=E8e+UJfKO8kqHFvK8PJwZGeV5pW-NKyuRKRk4wXw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "draft-ietf-websec-x-frame-options@tools.ietf.org" <draft-ietf-websec-x-frame-options@tools.ietf.org>, websec <websec@ietf.org>, The IESG <iesg@ietf.org>, "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 17:43:35 -0000
Richard: 1. I disagree with you, but more to the point... 2. ...do you really think this meets the DISCUSS criteria? Barry On Mon, Aug 19, 2013 at 11:42 AM, Richard Barnes <rlb@ipv.sx> wrote: > > > > On Mon, Aug 19, 2013 at 10:41 AM, Tobias Gondrom > <tobias.gondrom@gondrom.org> wrote: >> >> On 19/08/13 15:48, Richard Barnes wrote: >> >> >> >> >> On Sun, Aug 18, 2013 at 1:58 AM, Barry Leiba <barryleiba@computer.org> >> wrote: >>>> >>>> > (D2) It seems like this is a value that browsers might cache, to avoid >>>> > unnecessary requests if the same page is framed in the future. If >>>> > this >>>> > is something browsers do today, please say so. >>>> >>>> Actually I like to push back in this case, as I don't think we should go >>>> into implementation specific details that have no effect on the bits on >>>> the wire nor on the effective behavior of the browser. >>>> The X-Frame-Options header determines the behaviour for every individual >>>> requested page regarding framing in another web page in the browser. >>>> Whether the browser caches this information and compares the request >>>> with an existing cache from a request from before AND if the value is >>>> identical proceeds as before or whether the browser evaluates the >>>> X-Frame-Options header on each request should not be specified in this >>>> draft. >>> >>> >>> I'll note also that this is particularly the case because this is >>> documenting something that exists, but that isn't recommended for >>> implementation. If this were a PS that we were recommending for new >>> implementations, it might make more sense to talk about how to do caching >>> for better implementations. >>> >>> Barry >> >> >> I understand. Caching is just another aspect of existing implementation >> behavior that I think should be documented. >> >> Of course, I may be off base here. If nobody does it, and people think >> it's patently obvious that you never would, then I could clear. >> >> --Richard >> >> >> Richard, >> >> in short: I think, we really don't need and in fact should not discuss >> caching of the existing implementations in this draft. >> >> Some info fyi: >> caching has only very limited (or no) benefit here. Because the browser >> has to check for every http-request of the resource whether the >> X-Frame-Options header has been set and then act accordingly. It is also a >> very simple check. >> >> And consider as a page itself might be dynamic, the header can change with >> it, too. >> >> As mentioned in my answer before the only mini advantage of caching might >> be that the browser sees the header is still the same as before (with a >> simple TRUE/FALSE regex) and then doesn't have to evaluate the ruleset again >> e.g. if ALLOW-FROM is set if you already did so in your previous call. >> But nearly all of the X-Frame-Options requests are DENY or SAMEORIGIN in >> which case the comparison of the header with the previous one would not be >> much cheaper than to just run the regex rule for the header itself. >> >> And also, as outlined in section 2.3.2.3., servers may generate >> X-Frame-Options header responses depending on the request. >> Example case: Consider that we have only one serialized-origin in the >> ALLOW-FROM directive. Now imagine a user has multiple pages open in his >> browser tabs with one of web page 1 from domain A and the second of web page >> 2 from domain B both frame the same page from domain C with the ALLOW-FROM >> directive. In that case the page needs to reply to both requests with >> different X-Frame-Options headers, the first pointing to origin A, the >> second to origin B. >> But then many implementations don't support the ALLOW-FROM directive.... >> >> So to summarize my answer: we really don't need and in fact should not >> discuss caching of the existing implementations. >> >> All the best, Tobias > > > Again, I'm not looking for an analysis of the merits here, just what current > browsers do. It looks like Firefox doesn't cache anything [1], but I don't > know about other browsers. If anyone does, then this document should warn > people. If there are no known instances of caching, I'll just clear. > > In a related vein, the code below demonstrates that at least Firefox *will* > accept a URI with ALLOW-FROM, and (correctly) do the comparison based on the > origin of that URI. If other browsers do this, then with regard to (D3), it > seems this document should probably say that the header *syntax* allows a > URI, but the *comparison* is done based on the origin of the URI (Section 4 > of RFC 6454). > > Thanks, > --Richard > > [1] > <http://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDSURIContentListener.cpp#l361> >
- [websec] Richard Barnes' Discuss on draft-ietf-we… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Hill, Brad
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Barry Leiba
- Re: [websec] Richard Barnes' Discuss on draft-iet… Yoav Nir
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Barry Leiba
- Re: [websec] Richard Barnes' Discuss on draft-iet… Hill, Brad
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes