IETF Logo Mail Archive

Re: [websec] Ted Lemon's No Objection on draft-ietf-websec-x-frame-options-09: (with COMMENT)

Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 14 August 2013 21:08 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 599CD11E81B4 for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 14:08:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGsQc14YafkC for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 14:08:07 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB1011E81AD for <websec@ietf.org>; Wed, 14 Aug 2013 14:07:58 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=mUq0KTmBeYukVK/n1U83D5WjenfcFpz/S5+MwVkifm9A0pV1AUlrTDdssThwcUi2pZh2GM6ymePqUhROrpGXTZww/NEt+GotPDAgu+AwxNPSPfGcIOEOh3SwoY9xPe6A; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 20136 invoked from network); 14 Aug 2013 23:07:55 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 14 Aug 2013 23:07:55 +0200
Message-ID: <520BF1AB.5000103@gondrom.org>
Date: Wed, 14 Aug 2013 22:07:55 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: ted.lemon@nominum.com
References: <20130814175121.16080.58938.idtracker@ietfa.amsl.com>
In-Reply-To: <20130814175121.16080.58938.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org, iesg@ietf.org, websec-chairs@tools.ietf.org
Subject: Re: [websec] Ted Lemon's No Objection on draft-ietf-websec-x-frame-options-09: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 21:08:22 -0000

Hi Ted,
thanks for the review and your comments.
Answers inline.
I included your feedback comments in version-10 as outlined below (which
I hold back for one day as the changes are not material and I like to
combine them with other potentially upcoming feedback)
Thanks for the review and all the best, Tobias
Best regards, Tobias


On 14/08/13 18:51, Ted Lemon wrote:
> Ted Lemon has entered the following ballot position for
> draft-ietf-websec-x-frame-options-09: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-x-frame-options/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> The introduction of the concept of origins in 2.1 is a bit clumsy—the
> term is used under the SAMEORIGIN heading without being defined, and is
> later defined as a constraint specific only to ALLOW-FROM.   Text about
> browser implementations for SAMEORIGIN and ALLOW-FROM is repeated here
> and in later sections.   It would be better to simply refer to the later
> section.   If I were to clean up this section, I would do something like
> the following:
>
> DENY
>          A browser receiving content with this header MUST NOT display
>          this content in any frame.
>
>    SAMEORIGIN
>          A browser receiving content with this header field MUST NOT
>          display this content in any frame from a page of different
>          origin than the content itself.
>          If a browser or plugin can not reliably determine whether the
>          origin of the content and the frame have the same origin, this
>          MUST be treated as "DENY".   Section 2.3.2.2 documents
>          variations in the handling of this header field by different
>          browsers.
Hm. I see your point.
My solution would be close to your suggestion:
(But not to remove the text before about the variations in implementations)
and add the following text at the end:
"See also section 2.3.2.2 documents variations in the handling of this
header field by different browsers."

>
>    ALLOW-FROM  (followed by a URI [RFC3986] of a trusted origin)
>          A browser receiving content with this header MUST NOT display
>          this content in a frame from any page with a top-level browsing
>          context of different origin than the specified origin.  While
>          this can expose the page to risks by the trusted origin, in
>          some cases it may be necessary to allow the framing by content
>          from other domains.
>
>    The meaning of the term "origin" is given in [RFC6454].
Ok. I added this line as you suggest.
>    If the ALLOW-FROM value is used, it MUST be followed by a valid URI.
>    Any data beyond the domain address (i.e.  any data after the "/"
>    separator) is to be ignored.  And the algorithm to compare origins
>    from [RFC6454] SHOULD be used to verify that a referring page is of
>    the same origin as the content or that the referring page's origin is
>    identical with the ALLOW-FROM URI.  Though in conflict with
>    [RFC6454], current implementations do not consider the port as a
>    defining component of the origin.
>
> I also noticed that in another exchange about this document, someone said
> that this document is not intended to give advice to browser vendors.  
> If that's the case, what is the above SHOULD doing in the text?   Is
> there uncertainty as to what implementations do?   If so, it would be
> better to express that uncertainty, if indeed you are documenting browser
> behavior.
>
> Also, with respect to this text:
>
>    Though in conflict with
>    [RFC6454], current implementations do not consider the port as a
>    defining component of the origin.
>
> Does this mean that http://www.foo.com and http://www.foo.com:8080 are
> considered equivalent, or that http://www.foo.com and
> http://www.foo.com:80 are _not_ considered equivalent?   What about
> http://www.foo.com and https://www.foo.com?

As outline in RFC6454, origin identity is defined by the triplet
protocol, address and port. If all three are identical, the origin is
the same, otherwise not.
As written in the draft, current implementations do not consider the
port as a defining component of the origin, this means that only
protocol and address are defining criteria, i.e. http://www.foo.com:8080
and http://www.foo.com are read as from the same origin. (and
http://www.foo.com and https://www.foo.com are _not_ same origin)

I had the hope with referring to RFC6454 this should be unambiguous and
clear enough. I had the hesitation to write redundant text, but maybe I
got too short. Do you think we need to spell it out more explicitly in
the draft so people understand?

[will keep the text as is until I hear an argument that this is indeed
not clear enough yet.]


>
> The following text is incomprehensible to me as a non-domain-expert:
>
>    The criteria for the SAMEORIGIN option is not evaluated unanimously
>    either: one implementation may evaluate the SAMEORIGIN option based
>    on the origin of the framed page and the framing page, while another
>    may evaluate based on the framed page and the top-level browsing-
>    context.
>
> What is the distinction between "top-level browsing context" and "origin
> of the framing page?"   A reference here would be helpful.
Apologies. In this case I have hesitations to add an explanation about
the nesting of frames in html. In general the concept of nested frames
(and top-level vs. framing page) is reasonably understood.
[will keep the text as is until I hear an argument that this really
needs an explanation in this draft.]


>
> Thanks for documenting this.
>
>

v2.23.0 | Report a Bug | By Email