Re: [websec] I-D Action: draft-ietf-websec-x-frame-options-02.txt - status update

Tobias Gondrom <> Tue, 26 February 2013 09:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 19E4221F8650 for <>; Tue, 26 Feb 2013 01:43:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -95.287
X-Spam-Status: No, score=-95.287 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FPw+332wQKo2 for <>; Tue, 26 Feb 2013 01:43:19 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E940321F84A2 for <>; Tue, 26 Feb 2013 01:43:17 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=fP2dwQ4xl+TJQfm2uabiRyjea91KIkiFB6IxUTbzqt5pWPunsCeWETJqvo1iocT9IQDo+iT9ENb68XE8OR76s1N9lK5VdIWAz7MkIBwM+HKYyFei0WPo5apDPi1RSEuk; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 28544 invoked from network); 26 Feb 2013 10:43:15 +0100
Received: from (HELO ? ( by with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 26 Feb 2013 10:43:15 +0100
Message-ID: <>
Date: Tue, 26 Feb 2013 17:43:12 +0800
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] I-D Action: draft-ietf-websec-x-frame-options-02.txt - status update
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Feb 2013 09:43:25 -0000

Hi all,


just a quick update on the status of the informational X-Frame-Options
First, let me thank everyone for the great reviews and feedback and
apologize for not posting the revised draft earlier. Was a little bit
occupied with other work items and also wanted to give enough time to
thoroughly incorporate all your feedback.

I am very grateful for your reviews and feedback and went through all
the emails and incorporated every bit of review feedback you gave me (in
some cases I received feedback from more than one person on an
individual paragraph in which case I chose the proposals that seemed the
best fit to me).

The revision includes the WGLC feedback from Adam, Alexey, Barry, Brad,
Dave, Jeff, Julian, Mark, Peter and Yoav. And I think it significantly
improved the quality of the draft which was before the WGLC still with a
few typos and not clearly to understand sentences. I hope the revision
does not reflect a good improvement.

Personally, I do not think this update made any major changes to the
draft, especially as it is only documenting what is out there anyway. So
whether we want to re-initiate a second WGLC or submit this to the IESG
for LC, will be up to you and my co-chair Yoav and potentially Alexey
(if he still volunteering to play I-D shepherd for this doc).

Best regards, Tobias

On 26/02/13 03:04, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>  This draft is a work item of the Web Security Working Group of the IETF.
> 	Title           : HTTP Header Field X-Frame-Options
> 	Author(s)       : David Ross
>                           Tobias Gondrom
> 	Filename        : draft-ietf-websec-x-frame-options-02.txt
> 	Pages           : 11
> 	Date            : 2013-02-25
> Abstract:
>    To improve the protection of web applications against Clickjacking,
>    this specification describes the X-Frame-Options HTTP response header
>    field that declares a policy communicated from the server to the
>    client browser on whether the browser may display the transmitted
>    content in frames that are part of other web pages.  This
>    informational document serves to document the existing use and
>    specification of this X-Frame-Options HTTP response header field.
> The IETF datatracker status page for this draft is:
> There's also a htmlized version available at:
> A diff from the previous version is available at:
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> websec mailing list