Re: [websec] Stephen Farrell's Yes on draft-ietf-websec-x-frame-options-09: (with COMMENT)
Barry Leiba <barryleiba@computer.org> Sat, 17 August 2013 20:01 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FCC811E8186; Sat, 17 Aug 2013 13:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.952
X-Spam-Level:
X-Spam-Status: No, score=-101.952 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tpew3PDrXJi2; Sat, 17 Aug 2013 13:01:14 -0700 (PDT)
Received: from mail-qe0-x230.google.com (mail-qe0-x230.google.com [IPv6:2607:f8b0:400d:c02::230]) by ietfa.amsl.com (Postfix) with ESMTP id 8D29C11E814C; Sat, 17 Aug 2013 13:01:14 -0700 (PDT)
Received: by mail-qe0-f48.google.com with SMTP id 3so188134qea.21 for <multiple recipients>; Sat, 17 Aug 2013 13:01:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=8Jsid2FPwAbOKOruYhhSzmvTBjhQ6X0tQ2DYhwEW3vk=; b=mdYzo9Req3C7TAyGxSaWR5o9TvxDxLWQXHTSIMx+Rat3moe0i0NYpt2Xpj7fRiOk8k OvscBKLn+hh5xDmq2nX5iDU3QkbvPZ2FCorMroL+9QtJB94lPo4xmtTMO8wQ86gUHA6h zsVHBZFZUKMaCqpvcJKqQRMsbTF/wsD0t5l1lSVq75JWLfIBSiS00QTMzB9BXE1YPWBS 1leJlQ4z2GXuPKUkYEBZMGsXZtHqMhqnbbMhvMY1MvZqgFJMqaGMr0b3JS9KAK3sSEpP EPSfVzXx0L6doJDgOWtJNI693GrpGbB2ObnUqiQLD+IfOFvYpheo2YcDLivO/3IcrcL/ oysw==
MIME-Version: 1.0
X-Received: by 10.224.54.210 with SMTP id r18mr4916266qag.62.1376769670614; Sat, 17 Aug 2013 13:01:10 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.224.59.211 with HTTP; Sat, 17 Aug 2013 13:01:10 -0700 (PDT)
In-Reply-To: <520FCF84.9010605@gondrom.org>
References: <20130814224803.25993.58131.idtracker@ietfa.amsl.com> <520FCF84.9010605@gondrom.org>
Date: Sat, 17 Aug 2013 16:01:10 -0400
X-Google-Sender-Auth: XyAfx211GIZqLg7vCzV5Wi5YurU
Message-ID: <CALaySJ+VdNR=K6Tjb5VdadpPBi2DDP2kiSNDYFdQuvMAmTn1ow@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: multipart/alternative; boundary="089e01537274279d9404e42a2b6d"
Cc: "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>, "draft-ietf-websec-x-frame-options@tools.ietf.org" <draft-ietf-websec-x-frame-options@tools.ietf.org>, "websec@ietf.org" <websec@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [websec] Stephen Farrell's Yes on draft-ietf-websec-x-frame-options-09: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2013 20:01:15 -0000
Indeed. Really, the bottom line here is that things such as NoScript work we'll for us geeks, who know how to deal with the failures and exceptions, but they are horrid user experiences for people like my mother. Barry On Saturday, August 17, 2013, Tobias Gondrom wrote: > On 14/08/13 23:48, Stephen Farrell wrote: > > Stephen Farrell has entered the following ballot position for > > draft-ietf-websec-x-frame-options-09: Yes > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-websec-x-frame-options/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > > > (Personal opinion only, no change requested unless it > > resonates with folks.) I would prefer that this not say > > that NoScript impairs broswer utility. I find it fine. > > > > Other than that, this is a fine draft, thanks. > > > > Stephen, > personally, I use NoScript, too. > > But, looking at todays web applications JavaScript and frames are widely > spread and many web applications would indeed be very impaired if you > disable JavaScript and frames in your browser entirely. > Some years ago people tried to discourage JavaScript for security > sensitive applications (read "most of the web applications") and to > disable JavaScript in the browser, but meanwhile we moved past that > point and try to fix the security/trust models for JavaScript using CSP > - which I hope gives us another chance to fix large parts of it). > JavaScript functions are quite common nowadays in airline booking > systems, banking, corporate websites, etc. Be it for design, client side > input validation or other interactive functionality up to editing > capabilities. > > Best regards, Tobias > > > > >
- [websec] Stephen Farrell's Yes on draft-ietf-webs… Stephen Farrell
- Re: [websec] Stephen Farrell's Yes on draft-ietf-… Tobias Gondrom
- Re: [websec] Stephen Farrell's Yes on draft-ietf-… Barry Leiba