Re: [websec] Frame embedding: One problem, three possible specs?
Adam Barth <w3c@adambarth.com> Thu, 07 July 2011 22:24 UTC
Return-Path: <w3c@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452A321F8733 for <websec@ietfa.amsl.com>; Thu, 7 Jul 2011 15:24:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTHEcaAqd9ba for <websec@ietfa.amsl.com>; Thu, 7 Jul 2011 15:24:18 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6F22D21F872E for <websec@ietf.org>; Thu, 7 Jul 2011 15:24:18 -0700 (PDT)
Received: by iye7 with SMTP id 7so1532779iye.31 for <websec@ietf.org>; Thu, 07 Jul 2011 15:24:17 -0700 (PDT)
Received: by 10.231.41.69 with SMTP id n5mr1168900ibe.83.1310077456020; Thu, 07 Jul 2011 15:24:16 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id b6sm2931488ibg.48.2011.07.07.15.24.15 (version=SSLv3 cipher=OTHER); Thu, 07 Jul 2011 15:24:15 -0700 (PDT)
Received: by iye7 with SMTP id 7so1532747iye.31 for <websec@ietf.org>; Thu, 07 Jul 2011 15:24:15 -0700 (PDT)
Received: by 10.42.19.69 with SMTP id a5mr1281750icb.69.1310077455054; Thu, 07 Jul 2011 15:24:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.50.16 with HTTP; Thu, 7 Jul 2011 15:23:45 -0700 (PDT)
In-Reply-To: <DAD1FA49-1355-4769-852C-F47AB8E04682@w3.org>
References: <DAD1FA49-1355-4769-852C-F47AB8E04682@w3.org>
From: Adam Barth <w3c@adambarth.com>
Date: Thu, 07 Jul 2011 15:23:45 -0700
Message-ID: <CAJE5ia8GNutuU5d=2v8SjN=Rigck_XPRAoShzFb=s=5KcyLfJA@mail.gmail.com>
To: Thomas Roessler <tlr@w3.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 07 Jul 2011 16:04:15 -0700
Cc: Charles McCathieNevile <chaals@opera.com>, Maciej Stachowiak <mjs@apple.com>, Eric Rescorla <ekr@rtfm.com>, public-web-security@w3.org, Adrian Bateman <adrianba@microsoft.com>, "Michael(tm) Smith" <mike@w3.org>, websec@ietf.org, public-webapps@w3.org, Mark Nottingham <mnot@mnot.net>, Arthur Barstow <art.barstow@nokia.com>
Subject: Re: [websec] Frame embedding: One problem, three possible specs?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2011 22:24:19 -0000
My sense from talking with folks is that there isn't a lot of enthusiasm for supporting this use case in CSP at the present time. We're trying to concentrate on a core set of directives for the first iteration. If it helps reduce complexity, you might consider dropping option (1) for the time being. Adam On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler <tlr@w3.org> wrote: > (Warning, this is cross-posted widely. One of the lists is the IETF websec mailing list, to which the IETF NOTE WELL applies: http://www.ietf.org/about/note-well.html) > > > Folks, > > there appear to be at least three possible specifications addressing this space, with similar but different designs: > > 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Options and express those in CSP: > http://www.w3.org/2011/07/appsecwg-charter.html > > (We expect that this charter might go to the W3C AC for review as soon as next week.) > > 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") currently considered for publication as an FPWD in the Webapps WG: > http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.html > > This draft mentions integration into CSP as a possible path forward. > > 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: > https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ > http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > > How do we go about it? One path forward might be to just proceed as currently planned and coordinate when webappsec starts working. > > Another path forward might be to see whether we can agree now on what forum to take these things forward in (and what the coordination dance might look like). > > Thoughts welcome. > > Regards, > -- > Thomas Roessler, W3C <tlr@w3.org> (@roessler) > > > >
- [websec] Frame embedding: One problem, three poss… Thomas Roessler
- Re: [websec] Frame embedding: One problem, three … Adam Barth
- Re: [websec] Frame embedding: One problem, three … David Ross
- Re: [websec] Frame embedding: One problem, three … Hill, Brad
- Re: [websec] Frame embedding: One problem, three … Thomas Roessler
- Re: [websec] Frame embedding: One problem, three … Tobias Gondrom