[websec] Frame embedding: One problem, three possible specs?
Thomas Roessler <tlr@w3.org> Thu, 07 July 2011 21:12 UTC
Return-Path: <tlr@w3.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71E3F21F88F0 for <websec@ietfa.amsl.com>; Thu, 7 Jul 2011 14:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DsUqYQZ-cqF2 for <websec@ietfa.amsl.com>; Thu, 7 Jul 2011 14:12:36 -0700 (PDT)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id B973B21F88EE for <websec@ietf.org>; Thu, 7 Jul 2011 14:12:36 -0700 (PDT)
Received: from ip-88-207-235-30.dyn.luxdsl.pt.lu ([88.207.235.30] helo=[192.168.2.114]) by jay.w3.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from <tlr@w3.org>) id 1Qevrh-0000ZK-ME; Thu, 07 Jul 2011 17:12:05 -0400
From: Thomas Roessler <tlr@w3.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 07 Jul 2011 23:11:58 +0200
Message-Id: <DAD1FA49-1355-4769-852C-F47AB8E04682@w3.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>, Arthur Barstow <art.barstow@nokia.com>, Brad Hill <bhill@paypal-inc.com>, Eric Rescorla <ekr@rtfm.com>, Alexey Melnikov <alexey.melnikov@isode.com>, David Ross <dross@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Adrian Bateman <adrianba@microsoft.com>, Brandon Sterne <bsterne@mozilla.com>, Adam Barth <abarth@gmail.com>, Charles McCathieNevile <chaals@opera.com>, Maciej Stachowiak <mjs@apple.com>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-Mailman-Approved-At: Thu, 07 Jul 2011 14:23:08 -0700
Cc: public-web-security@w3.org, "Michael(tm) Smith" <mike@w3.org>, websec@ietf.org, public-webapps@w3.org, Mark Nottingham <mnot@mnot.net>
Subject: [websec] Frame embedding: One problem, three possible specs?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2011 21:12:37 -0000
(Warning, this is cross-posted widely. One of the lists is the IETF websec mailing list, to which the IETF NOTE WELL applies: http://www.ietf.org/about/note-well.html) Folks, there appear to be at least three possible specifications addressing this space, with similar but different designs: 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Options and express those in CSP: http://www.w3.org/2011/07/appsecwg-charter.html (We expect that this charter might go to the W3C AC for review as soon as next week.) 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") currently considered for publication as an FPWD in the Webapps WG: http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.html This draft mentions integration into CSP as a possible path forward. 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ http://www.ietf.org/mail-archive/web/websec/current/msg00388.html How do we go about it? One path forward might be to just proceed as currently planned and coordinate when webappsec starts working. Another path forward might be to see whether we can agree now on what forum to take these things forward in (and what the coordination dance might look like). Thoughts welcome. Regards, -- Thomas Roessler, W3C <tlr@w3.org> (@roessler)
- [websec] Frame embedding: One problem, three poss… Thomas Roessler
- Re: [websec] Frame embedding: One problem, three … Adam Barth
- Re: [websec] Frame embedding: One problem, three … David Ross
- Re: [websec] Frame embedding: One problem, three … Hill, Brad
- Re: [websec] Frame embedding: One problem, three … Thomas Roessler
- Re: [websec] Frame embedding: One problem, three … Tobias Gondrom