Re: [websec] Frame embedding: One problem, three possible specs?
David Ross <dross@microsoft.com> Thu, 07 July 2011 23:07 UTC
Return-Path: <dross@microsoft.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A643C11E80BA for <websec@ietfa.amsl.com>; Thu, 7 Jul 2011 16:07:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.542
X-Spam-Level:
X-Spam-Status: No, score=-10.542 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdNfFIN-tcwL for <websec@ietfa.amsl.com>; Thu, 7 Jul 2011 16:07:31 -0700 (PDT)
Received: from smtp.microsoft.com (mail3.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 082CA11E8080 for <websec@ietf.org>; Thu, 7 Jul 2011 16:07:30 -0700 (PDT)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 7 Jul 2011 16:07:24 -0700
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.1.289.8; Thu, 7 Jul 2011 16:07:24 -0700
Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi id 14.01.0289.008; Thu, 7 Jul 2011 16:07:24 -0700
From: David Ross <dross@microsoft.com>
To: Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>
Thread-Topic: Frame embedding: One problem, three possible specs?
Thread-Index: AQHMPOqPvqL6Q2gkPU2EbegwuDrztZTh5JWA//+PFMA=
Date: Thu, 07 Jul 2011 23:07:23 +0000
Message-ID: <F94D1172DEEC714BBD7F76476442D7151FD3B64C@TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com>
References: <DAD1FA49-1355-4769-852C-F47AB8E04682@w3.org> <CAJE5ia8GNutuU5d=2v8SjN=Rigck_XPRAoShzFb=s=5KcyLfJA@mail.gmail.com>
In-Reply-To: <CAJE5ia8GNutuU5d=2v8SjN=Rigck_XPRAoShzFb=s=5KcyLfJA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.90]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 07 Jul 2011 16:10:40 -0700
Cc: Charles McCathieNevile <chaals@opera.com>, Maciej Stachowiak <mjs@apple.com>, Eric Rescorla <ekr@rtfm.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Adrian Bateman <adrianba@microsoft.com>, "Michael(tm) Smith" <mike@w3.org>, "websec@ietf.org" <websec@ietf.org>, "public-webapps@w3.org" <public-webapps@w3.org>, Mark Nottingham <mnot@mnot.net>, Arthur Barstow <art.barstow@nokia.com>
Subject: Re: [websec] Frame embedding: One problem, three possible specs?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2011 23:07:31 -0000
#3 is a narrowly scoped effort to standardize something that works pretty well today in practice (X-FRAME-OPTIONS). A conflict with CSP would be bad, but per Adam it seems like overlap is looking less likely. So proceeding down the current path on #3 sounds good to me. David Ross dross@microsoft.com -----Original Message----- From: Adam Barth [mailto:w3c@adambarth.com] Sent: Thursday, July 07, 2011 3:24 PM To: Thomas Roessler Cc: Tobias Gondrom; Arthur Barstow; Brad Hill; Eric Rescorla; Alexey Melnikov; David Ross; Anne van Kesteren; Adrian Bateman; Brandon Sterne; Charles McCathieNevile; Maciej Stachowiak; Peter Saint-Andre; Michael(tm) Smith; Mark Nottingham; Jeff Hodges; public-web-security@w3.org; public-webapps@w3.org; websec@ietf.org Subject: Re: Frame embedding: One problem, three possible specs? My sense from talking with folks is that there isn't a lot of enthusiasm for supporting this use case in CSP at the present time. We're trying to concentrate on a core set of directives for the first iteration. If it helps reduce complexity, you might consider dropping option (1) for the time being. Adam On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler <tlr@w3.org> wrote: > (Warning, this is cross-posted widely. One of the lists is the IETF > websec mailing list, to which the IETF NOTE WELL applies: > http://www.ietf.org/about/note-well.html) > > > Folks, > > there appear to be at least three possible specifications addressing this space, with similar but different designs: > > 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Options and express those in CSP: > http://www.w3.org/2011/07/appsecwg-charter.html > > (We expect that this charter might go to the W3C AC for review as soon > as next week.) > > 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") currently considered for publication as an FPWD in the Webapps WG: > > http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.htm > l > > This draft mentions integration into CSP as a possible path forward. > > 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: > https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ > http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > > How do we go about it? One path forward might be to just proceed as currently planned and coordinate when webappsec starts working. > > Another path forward might be to see whether we can agree now on what forum to take these things forward in (and what the coordination dance might look like). > > Thoughts welcome. > > Regards, > -- > Thomas Roessler, W3C <tlr@w3.org> (@roessler) > > > >
- [websec] Frame embedding: One problem, three poss… Thomas Roessler
- Re: [websec] Frame embedding: One problem, three … Adam Barth
- Re: [websec] Frame embedding: One problem, three … David Ross
- Re: [websec] Frame embedding: One problem, three … Hill, Brad
- Re: [websec] Frame embedding: One problem, three … Thomas Roessler
- Re: [websec] Frame embedding: One problem, three … Tobias Gondrom