IETF Logo Mail Archive

Re: [websec] Coordinating Frame-Options and CSP UI Safety directives

David Ross <dross@microsoft.com> Mon, 16 July 2012 17:54 UTC

Return-Path: <dross@microsoft.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6787411E825C for <websec@ietfa.amsl.com>; Mon, 16 Jul 2012 10:54:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.467
X-Spam-Level:
X-Spam-Status: No, score=-0.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNRh73KLkB7z for <websec@ietfa.amsl.com>; Mon, 16 Jul 2012 10:54:46 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id E861B11E827B for <websec@ietf.org>; Mon, 16 Jul 2012 10:54:45 -0700 (PDT)
Received: from mail47-am1-R.bigfish.com (10.3.201.234) by AM1EHSOBE008.bigfish.com (10.3.204.28) with Microsoft SMTP Server id 14.1.225.23; Mon, 16 Jul 2012 17:55:29 +0000
Received: from mail47-am1 (localhost [127.0.0.1]) by mail47-am1-R.bigfish.com (Postfix) with ESMTP id E1529203AA for <websec@ietf.org>; Mon, 16 Jul 2012 17:55:29 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -19
X-BigFish: VS-19(zz9371I542M1418I604Tzz1202hzzz2fh2a8h683h839h944hd25hf0ah107ah)
Received-SPF: pass (mail47-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=dross@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.234.5; KIP:(null); UIP:(null); (null); H:SN2PRD0310HT004.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail47-am1 (localhost.localdomain [127.0.0.1]) by mail47-am1 (MessageSwitch) id 1342461327804909_26176; Mon, 16 Jul 2012 17:55:27 +0000 (UTC)
Received: from AM1EHSMHS005.bigfish.com (unknown [10.3.201.229]) by mail47-am1.bigfish.com (Postfix) with ESMTP id C2EF524008C for <websec@ietf.org>; Mon, 16 Jul 2012 17:55:27 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS005.bigfish.com (10.3.207.105) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 16 Jul 2012 17:55:27 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.80.61) with Microsoft SMTP Server (TLS) id 14.2.309.3; Mon, 16 Jul 2012 17:55:24 +0000
Received: from mail59-co1-R.bigfish.com (10.243.78.249) by CO1EHSOBE008.bigfish.com (10.243.66.71) with Microsoft SMTP Server id 14.1.225.23; Mon, 16 Jul 2012 17:55:24 +0000
Received: from mail59-co1 (localhost [127.0.0.1]) by mail59-co1-R.bigfish.com (Postfix) with ESMTP id 5C57688024C for <websec@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 16 Jul 2012 17:55:24 +0000 (UTC)
Received: from mail59-co1 (localhost.localdomain [127.0.0.1]) by mail59-co1 (MessageSwitch) id 1342461322167199_22508; Mon, 16 Jul 2012 17:55:22 +0000 (UTC)
Received: from CO1EHSMHS016.bigfish.com (unknown [10.243.78.247]) by mail59-co1.bigfish.com (Postfix) with ESMTP id 1D5C7400044; Mon, 16 Jul 2012 17:55:22 +0000 (UTC)
Received: from SN2PRD0310HT004.namprd03.prod.outlook.com (157.56.234.5) by CO1EHSMHS016.bigfish.com (10.243.66.26) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 16 Jul 2012 17:55:21 +0000
Received: from SN2PRD0310MB395.namprd03.prod.outlook.com ([169.254.3.253]) by SN2PRD0310HT004.namprd03.prod.outlook.com ([10.255.112.39]) with mapi id 14.16.0175.005; Mon, 16 Jul 2012 17:55:20 +0000
From: David Ross <dross@microsoft.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>, IETF WebSec WG <websec@ietf.org>
Thread-Topic: [websec] Coordinating Frame-Options and CSP UI Safety directives
Thread-Index: AQHNYI6lkz8Gk35PQYOw0F4CVEc1fpcsMs4A
Date: Mon, 16 Jul 2012 17:55:20 +0000
Message-ID: <9B5348748B708948989B17CC0AEA3DD004936E@SN2PRD0310MB395.namprd03.prod.outlook.com>
References: <4FFF6C0C.7010404@KingsMountain.com>
In-Reply-To: <4FFF6C0C.7010404@KingsMountain.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.174.87]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0310HT004.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%KINGSMOUNTAIN.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC106.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC106.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2012 17:54:47 -0000

In the interest of bloat as measured in bits, in this case it makes sense to optimize for (2), reducing header value bloat, even if this is at the expense of (1), reducing header name bloat.  I was worried that with CSP we can't achieve on (2).  But if we can specify the ABNF as you suggest below, that solves the problem.

I also would like to see the inclusion of the AllAncestors flag as you suggest below.  Or if it makes more sense here, a "NoAncestors" flag.

Dave

-----Original Message-----
From: =JeffH [mailto:Jeff.Hodges@KingsMountain.com] 
Sent: Thursday, July 12, 2012 5:30 PM
To: David Ross; IETF WebSec WG
Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives

thanks for your thoughts Dave,

 > My concern is mostly around the degree to which a move to CSP might  > complicate or stall the process.

by this I presume you mean the process of producing a spec for a standardized "frame-options" (i.e., the successor to "x-frame-options").

I don't think leveraging CSP as a framework, per se, would necessarily slow this down.

 >  I'd also prefer not to see additional use  > cases pop up (eg: click fraud prevention) that just were never in scope  > before.

I think it's reasonable to discuss whether the "frame-options" policy directive (aka "frame-ancestors", "embed-ancestors") should be specified as a part of the nascent "UI Safety directives" spec (in W3C WebAppSec), or the CSP 1.1 spec (in W3C WebAppSec), or as a stand-alone spec.


 > I think that w.r.t. header bloat,

Ah, so there's two aspects to "header bloat" in this discussion..

1. "header bloat" in relation to possibly defining yet another HTTP header field to convey a security policy, i.e. a stand-alone "frame-options" header field.

2. "header value bloat" in terms of having a header field into which server operators may feel obliged to cram a huge list of items (i.e., origins).

 From a high-level perspective, casting "frame-options" as a CSP directive works towards addressing (1).


 > the most sensible approach is to only allow one origin to be specified.

And this statement is addressing (2).


 > CSP by-design facilitates the use of multiple origins.

However, the ABNF of any particular CSP directive can be crafted in order to 
allow only one origin to be specified as a value, e.g. like so..

   directive-name  = "frame-options"
   directive-value = host-source

[ where host-source is defined as..

   host-source       = [ scheme "://" ] host [ port ]
]

 > As we've discussed w/Frame-Options, there is a design pattern to
 > make the more basic single-origin approach functional.

understood.

(fwiw, I'd term what you're calling a "design pattern" as a "implementation and 
deployment technique")


 > With regard to obsolescence of X-FRAME-OPTIONS, it's easy to specify exactly
 > what happens in the FRAME-OPTIONS spec.  I don't see that CSP inherently
 > improves on that but I may be missing something there.

regardless of which specification vehicle we use for the "frame-options" policy 
directive, we'll be able to denote (in some fashion) that it supersedes the old 
"x-frame-options" header. (this is going to be somewhat messy in any case)


 > The advantage I see of bringing FRAME-OPTIONS into CSP is that it makes CSP
 > more comprehensive.  But I suspect there are plenty of other header-related
 > security features that aren't defined by CSP (eg: the origin header, cookie
 > security).

well, of course CSP doesn't encompass "everything" and isn't intended to. But we 
certainly should be carefully considering consolidating  policy directive 
conveyance as appropriate, and the "frame-options" (aka "frame-ancestors", 
"embed-ancestors") notion seems to fall reasonably within the "content security 
policy" space -- a key aspect being that it is regarding a particular resource 
representation (as I presently understand it).


 > Finally, as Brad pointed out in the rosetta stone thread, Frame-Options
 > provides the flexibility to perform only a top level origin check as opposed
 > to a full ancestor check.  (Specified via the "AllAncestors" flag.)

Well, the "AllAncestors" flag can certainly be added to a CSP-based 
"frame-options" policy directive. e.g. by defining a new "keyword-source" of 
'all-ancestors'.

=JeffH

v2.23.0 | Report a Bug | By Email