Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)

[Yoav Nir <ynir@checkpoint.com>]

Hi Richard.

Please see below. Do the changes address your concerns?

Yoav


On Aug 15, 2013, at 4:41 AM, Richard Barnes <rlb@ipv.sx> wrote:

> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> (D1) The privacy considerations make no sense to me.  To whom is data
> being leaked?  To the browser?  To random people who send a request to a
> URI?  Do you mean that X-Frame-Options leaks information about who the
> site authorizes?  That's true, but also true of things like CORS.  If
> this is the concern, you should recommend a mitigation that's basically
> the same as what CORS does, namely varying the value of X-Frame-Options
> based on the Referer or Origin header.

The text for Privacy Considerations has changed
OLD:
   The parameter ALLOW-FROM allows a page to guess who is framing it.
   This is inherent by design, but may lead to data leakage or data
   protection concerns.
NEW:
   There are two kinds of potential data leakage to consider:

   1.  Using X-FRAME-OPTIONS with the parameter ALLOW-FROM allows a page
       to guess or infer information about who is framing it.  A web
       server may answer requests with the X-FRAME-OPTIONS ALLOW-FROM
       header and by thus determine which other page is framing it.
       This is inherent by design, but may lead to data leakage or data
       protection concerns.

   2.  The web server using the ALLOW-FROM directive may disclose to
       other parties who request the page in the header by which page it
       is allowed to be framed.  If a web server wishes to reduce this
       leakage, it is recommended to generate the ALLOW-FRAM header for
       each request based on the design pattern as described in section
       2.3.2.3.

> (D2) It seems like this is a value that browsers might cache, to avoid
> unnecessary requests if the same page is framed in the future.  If this
> is something browsers do today, please say so.  

Since Tobias is arguing this (  ), I'll leave this one alone for now, but please let us know if you've been convinced.

> (D3) Shouldn't ALLOW-FROM be followed by an origin, not a URI?  In other
> words, what does it mean to send "X-Frame-Options: ALLOW-FROM
> https://example.com/this/is/a/path?query#fragment"?  

OLD:
   ALLOW-FROM  (followed by a URI [RFC3986] of a trusted origin)
NEW:
   ALLOW-FROM  (followed by a serialized-origin [RFC6454])

> (D3) In the ALLOW-FROM: what does "top level context" mean?  Do you
> really mean the top level here, as opposed to the next one up?  For
> example, suppose A loads B in an iframe, and B loads C, and then C sends
> an X-Frame-Options header with ALLOW-FROM.  Is the ALLOW-FROM origin
> compared to B or A?  In either case, you should also note the attacks
> that remain.  For example, if the answer is B, then B needs to use
> X-Frame-Options as well, or else, A can maliciously frame A within B.  Or
> if the answer is A, then C is trusting A not to load any malicious
> intermediate frames B.

New (in sectin 2.3.2.2):
   To illustrate the difference between the comparison with "framing
   page" and the "top-level browsing-context" consider the following
   scenario: Web pages may embed frames with other pages which in turn
   embed frames with other pages as well and so on.  In theory this can
   result in an infinite nesting of framed pages.  For example web page
   A may contain in a frame web page B, and web page B contains in a
   frame web page C.

   Web page A
   <html>
   ....
   <frame src="https://URI_of_web_page_B" />
   </html>

   Web Page B
   <html>
   ....
   <frame src="https://URI_of_web_page_C" />
   </html>

   And so forth...


   In this example, for the nested frames with the inner framed web page
   C, the most outer web page A would be the "top-level browsing-
   context" and web page B would be the "framing page"