Re: [websec] WGLC feedback for X-Frame-Options
=JeffH <Jeff.Hodges@KingsMountain.com> Thu, 08 November 2012 16:47 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA4B21F8471 for <websec@ietfa.amsl.com>; Thu, 8 Nov 2012 08:47:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.349
X-Spam-Level:
X-Spam-Status: No, score=-102.349 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yH60FMRhDP+0 for <websec@ietfa.amsl.com>; Thu, 8 Nov 2012 08:47:06 -0800 (PST)
Received: from oproxy8-pub.bluehost.com (oproxy8-pub.bluehost.com [69.89.22.20]) by ietfa.amsl.com (Postfix) with SMTP id 5EA6221F8433 for <websec@ietf.org>; Thu, 8 Nov 2012 08:47:06 -0800 (PST)
Received: (qmail 4879 invoked by uid 0); 8 Nov 2012 16:46:42 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 8 Nov 2012 16:46:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=Cqnd+kdIlvV3un6Z3DClkNaFI73dwGCU7S8dEKuhRbI=; b=AFcWza1i1rzkcJCT/kMUeRNbdpANH8y7z+eHXq9x0wQMART8Dn2REe/P5fQSMZsYY0WGmVB9Ok1YvbWUgKqsO3eu9qM686WD1RXxirb/I3mF8+PPxam06lc9WP9JK1jN;
Received: from [130.129.80.110] (port=50146) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1TWVFZ-0001vQ-MV for websec@ietf.org; Thu, 08 Nov 2012 09:46:41 -0700
Message-ID: <509BE1F0.4010701@KingsMountain.com>
Date: Thu, 08 Nov 2012 08:46:40 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.80.110 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] WGLC feedback for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 16:47:07 -0000
thanks to Dave and Tobias for writing up this spec. +1 to other folks' comments on this draft. I suggest an explicit statement such as.. The purpose of this specification is to document existing practice. ..should appear in the abstract and the intoduction. It appears to me that there's various editorial roughness even beyond the prior comments that will be caught by the RFC editor (given my recent experience); the document would benefit from a thorough editorial pass. one item I just noticed that's not mentioned by others it seems is that they header field name in S4.1. Registration Template is.. Header field name: X-Frame-Option ..yet it is referred to as "X-Frame-Options" in the rest of the spec (note the final "s" in the latter, but not in the former). It appears from.. http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx ..that the latter is the correct form that ought to be registered with IANA ? I wonder if also a note will be necessary to explain the use of the "X-" prefix in light of... 6648 Deprecating the "X-" Prefix and Similar Constructs in Application Protocols. P. Saint-Andre, D. Crocker, M. Nottingham. June 2012. HTH, =JeffH
- Re: [websec] WGLC feedback for X-Frame-Options =JeffH
- Re: [websec] WGLC feedback for X-Frame-Options Barry Leiba
- Re: [websec] WGLC feedback for X-Frame-Options Tobias Gondrom
- Re: [websec] WGLC feedback for X-Frame-Options Peter Saint-Andre
- Re: [websec] WGLC feedback for X-Frame-Options Tobias Gondrom
- Re: [websec] WGLC feedback for X-Frame-Options Julian Reschke
- Re: [websec] WGLC feedback for X-Frame-Options Tobias Gondrom