Re: [websec] I-D Action: draft-ietf-websec-frame-options-00.txt

Tobias Gondrom <> Fri, 06 July 2012 11:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AB78B21F87A8 for <>; Fri, 6 Jul 2012 04:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -96.778
X-Spam-Status: No, score=-96.778 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GuNj-9e2OQe3 for <>; Fri, 6 Jul 2012 04:09:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E45A121F879E for <>; Fri, 6 Jul 2012 04:09:41 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=lYrEW2SOH5tGRokuRDr9skhEMV7bNBrWpGbsZDcP19rVJ0Ux+YCE1UHiiztURgroL9eNR7KBCQyFvVGdy4vTo5hDp6bKW7a6bAgD52MKEoy6VSjpJ0sD2nq5D7ir2KvS; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 7717 invoked from network); 6 Jul 2012 13:09:43 +0200
Received: from (HELO ? ( by with (DHE-RSA-AES256-SHA encrypted) SMTP; 6 Jul 2012 13:09:43 +0200
Message-ID: <>
Date: Fri, 06 Jul 2012 12:09:42 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] I-D Action: draft-ietf-websec-frame-options-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Jul 2012 11:09:43 -0000


Hello dear websec fellows,

please note that following the consensus of the WG for adotion of the 
drafts, David and I revised the draft-gondrom-frame-options-02 draft and 
uploaded it as websec WG document: draft-ietf-websec-frame-options-00

And my apologies that this revision took so long, as I was a bit 
occupied with other drafts.

Please take a read and am looking forward to your feedback.

To my knowledge there are a number of topics to be discussed about this 
draft, two of them being:
1. we (the editors) removed the list of origins from the ALLOW-FROM 
field, due to performance concerns with processing the origin-list. Now 
it is only one URI. I am personally not entirely sure this to be the 
right way, so would like to encourage discussion about this.
2. There has been some discussion whether FO (Frame-Options) should be 
done in CSP instead.
In 2010/2011 there was an informal discussion about this with people 
from WebAppSec with the recommendation to put in websec and it was 
removed from the initial CSP version back then.
I still think that this was the right step and that FO is better done as 
the successor of XFO in websec and the logical evolution step than 
putting it in CSP.
My main thoughts here are:
- clear migration path from XFO to FO
- IMHO the FO function does not fit naturally with the other functions 
and semantic of CSP if you look closely at CSP. And although I can sense 
that it may look tempting to think about "saving http headers" and put 
everything into one, I don't think this to be the right approach for FO 
(nor in general).

However, I wanted to revive this discussion on the mailing-list whether 
we should give up on FO and ask W3C WebAppSec to put it into CSP. One 
thing I would really like to see in this discussion is to learn about 
the perceived benefits from discontinuing our current approach on 
Frame-Options in websec and trying to integrate it into CSP.

Btw. I will be out-of-office the next 5 days, so my apologies if I can 
not answer to questions and arguments on FO immediately. I will be back 
very shortly.

Best regards and looking forward to reviews and discussions.


On 06/07/12 11:47, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>   This draft is a work item of the Web Security Working Group of the IETF.
> 	Title           : HTTP Header Frame Options
> 	Author(s)       : David Ross
>                            Tobias Gondrom
> 	Filename        : draft-ietf-websec-frame-options-00.txt
> 	Pages           : 9
> 	Date            : 2012-07-06
> Abstract:
>     To improve the protection of web applications against Clickjacking
>     this standards defines a http response header that declares a policy
>     communicated from a host to the client browser whether the
>     transmitted content MUST NOT be displayed in frames of other pages
>     from different origins which are allowed to frame the content.
> The IETF datatracker status page for this draft is:
> There's also a htmlized version available at:
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> websec mailing list