Re: [websec] Coordinating Frame-Options and CSP UI Safety directives

"Hill, Brad" <> Tue, 10 July 2012 00:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D38A221F8668 for <>; Mon, 9 Jul 2012 17:02:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FySOpD8MKnLH for <>; Mon, 9 Jul 2012 17:02:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id ED47C21F8663 for <>; Mon, 9 Jul 2012 17:02:08 -0700 (PDT)
DomainKey-Signature: s=ppinc;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version; b=c4TwqGMrZzKo7yAgelqsfpdHfda/Ju5bFC47ZUrjB3vIT9xwZMRL7Ti/ G/hN9kYBkfXL9A6TAJcx4mAHzHS5Qd7INeuuldnbA+ZEQPWzsW2LsEkDj o6cFJ9gjnUfv52u;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=ppinc; t=1341878555; x=1373414555; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=xGGdDyJmqgGdye3x7OqUbHqpjBPkpjbs6LIfBZWLOD4=; b=LCE8RmU0qsv478XrsWDkDbf9IMiGhu7j8VllMFUDdQOL0V5ZA7NkK3tw SoRWjS4dqT6ghI71bVkQTLC+zgtYop7LOxsmACv0xw5yODqGiV0xJtRHp j8BgM2XXZjUcaq4;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.77,555,1336374000"; d="scan'208";a="8573236"
Received: from unknown (HELO ([]) by with ESMTP/TLS/AES128-SHA; 09 Jul 2012 17:02:35 -0700
Received: from ([fe80::40c1:9cf7:d21e:46c]) by ([fe80::8109:2a37:17ad:e57e%18]) with mapi id 14.02.0298.004; Mon, 9 Jul 2012 18:02:31 -0600
From: "Hill, Brad" <>
To: Tobias Gondrom <>, "" <>
Thread-Topic: [websec] Coordinating Frame-Options and CSP UI Safety directives
Thread-Index: Ac1eARMykz8Gk35PQYOw0F4CVEc1fgAWw6QAAAxPUgA=
Date: Tue, 10 Jul 2012 00:02:31 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: RUhmLvUG+V+CYtcAGpFVxg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Jul 2012 00:02:09 -0000


 I'm happy to move the discussion primarily to websec, and I'll drop the cc: to webappsec after this email.  Thanks for the historical clarification, as well.

I'm not terribly concerned about which group does the work, as much as arriving at the engineering solution that works best for user agent and resource authors, some of whom have expressed preference for moving this functionality into CSP.  As both a chair and an individual, I don't have a strong preference, but I think there are reasons in favor of each option and it is worth re-opening the discussion now that the WebAppSec WG has a concrete deliverable under development to address the same general class of attacks.

I'll send out a summary shortly of the similarities and differences between the various options currently proposed for some additional context.

-Brad Hill