Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01)
Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 23 July 2011 16:19 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D870621F8A4B for <websec@ietfa.amsl.com>; Sat, 23 Jul 2011 09:19:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4x3dITSbfvd6 for <websec@ietfa.amsl.com>; Sat, 23 Jul 2011 09:19:09 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id F292821F896E for <websec@ietf.org>; Sat, 23 Jul 2011 09:19:08 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=H4/C0nEa4Zx2GiXfipyofOEIe0aopi5GYDMe0zii34i73bUk7BfKveNMcdRNm6qzIUBM6xTPLz91y33od44B5mWto+n/tBOc/cNT5cg4MZ6tHUuIoPSjJUnXLKT/MLmJ; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 13713 invoked from network); 23 Jul 2011 18:19:04 +0200
Received: from unknown (HELO ?172.17.9.73?) (207.134.107.2) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jul 2011 18:19:04 +0200
Message-ID: <4E2AF47A.6070207@gondrom.org>
Date: Sat, 23 Jul 2011 17:19:06 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0
MIME-Version: 1.0
To: Jeff.Hodges@KingsMountain.com
References: <4E1689CB.3010504@KingsMountain.com>
In-Reply-To: <4E1689CB.3010504@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2011 16:19:09 -0000
Jeff, thank you very much for the review. Will add missing references in version -02. - Tobias On 08/07/11 05:38, =JeffH wrote: > > Hi Tobias -- thanks for working on this spec, it will be good to get > this all more formally documented. > > It appears that the -01 rev of draft-gondrom-frame-options takes into > account the apparently present X-Frame-Options documentation here.. > > > [2] Combating ClickJacking With X-Frame-Options > EricLaw [MSFT] > 30 Mar 2010 2:42 PM > <http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx> > > > > ..which apparently supersedes the prior nominal documentation.. > > > [1] IE8 Security Part VII: ClickJacking Defenses > ieblog > 27 Jan 2009 9:40 PM > <http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx> > > > > ..and which draft-gondrom-frame-options-00 appears to have been based on. > > > As Dave Ross earlier today noted in.. > > Re: [websec] FYI: New draft draft-gondrom-frame-options-01 > http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > ..the -01 spec rev differs from [2] in that it allows for declaring an > origin list as a value for the ALLOW-FROM directive. > > Also, the header name is declared as "Frame-Options" rather than > what's presently implemented and deployed: "X-FRAME-OPTIONS". > > > Why don't we (WebSec) first simply document present X-FRAME-OPTIONS > practice and get that more formally nailed down before we begin > enhancing/altering it ? > > After all, it's apparently implemented in most all major browsers, and > (I hear) emitted by a fair number of web applications. Plus, there's > always the question of how closely all those implementations today > conform to the present de jure specification, especially the "new" > ALLOW-FROM directive in [2]. > > This would be in the same spirit as the RFC6265 "HTTP State > Management" (aka Cookies) effort where we (hopefully unambiguously) > documented the present implemented and deployed cookie subprotocol. > > thanks, > > =JeffH > > > > > > > >
- Re: [websec] specify existing X-Frame-Options ? (… =JeffH
- [websec] specify existing X-Frame-Options ? (was:… =JeffH
- Re: [websec] specify existing X-Frame-Options ? (… David Ross
- Re: [websec] specify existing X-Frame-Options ? (… David Ross
- Re: [websec] specify existing X-Frame-Options ? (… =JeffH
- Re: [websec] specify existing X-Frame-Options ? (… Peter Saint-Andre
- Re: [websec] specify existing X-Frame-Options ? (… David Ross
- Re: [websec] specify existing X-Frame-Options ? (… Tobias Gondrom
- Re: [websec] specify existing X-Frame-Options ? (… Tobias Gondrom