[websec] WGLC feedback for X-Frame-Options

Julian Reschke <julian.reschke@gmx.de> Tue, 06 November 2012 17:25 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 77FA521F8A60 for <websec@ietfa.amsl.com>; Tue, 6 Nov 2012 09:25:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.599
X-Spam-Status: No, score=-105.599 tagged_above=-999 required=5 tests=[AWL=-3.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id qou+WGQvY1WE for <websec@ietfa.amsl.com>; Tue, 6 Nov 2012 09:25:49 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net []) by ietfa.amsl.com (Postfix) with SMTP id BCD7721F8A49 for <websec@ietf.org>; Tue, 6 Nov 2012 09:25:47 -0800 (PST)
Received: (qmail invoked by alias); 06 Nov 2012 17:25:46 -0000
Received: from mail.greenbytes.de (EHLO []) [] by mail.gmx.net (mp040) with SMTP; 06 Nov 2012 18:25:46 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18JOXI1QToJafd2c7L+TVDwrYpZMl+fAbXO3J0McF fCcAeGCBV3eRgr
Message-ID: <50994817.1030503@gmx.de>
Date: Tue, 06 Nov 2012 18:25:43 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
In-Reply-To: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: [websec] WGLC feedback for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 17:25:50 -0000

Hi there,

here's my feedback from the HTTP/editorial point of view:

> Abstract
>    To improve the protection of web applications against Clickjacking
>    this standard defines an http response header that declares a policy

s/http response header/HTTP response header field/

>    communicated from a host to the client browser on whether the browser
>    must not display the transmitted content in frames of other web
>    pages.  This drafts serves to document the existing use and


>    In 2009 and 2010 many browser vendors ([Microsoft-X-Frame-Options],
>    [CLICK-DEFENSE-BLOG], [Mozilla-X-Frame-Options]) introduced the use
>    of a non-standard http header RFC 2616 [RFC2616] "X-Frame-Options" to

s/http header RFC 2616 [RFC2616]/HTTP [RFC2616] header field/

>    protect against Clickjacking [Clickjacking].  This draft is to
>    document the current use of X-Frame-Options header and shall in the
>    future be replaced by the Frame-Options [FRAME-OPTIONS] standard.

What's supposed to be replaced is the header field, not the spec, right?

> 2. X-Frame-Options Header
>    The X-Frame-Options HTTP response header indicates a policy whether a

s/header/header field/ throughout.

>    browser MUST NOT allow to render a page in a <frame> or <iframe> .


> 2.1. Syntax
>    The header field name is:
>    X-Frame-Options
>    There are three different values for the header field.  These values
>    are exclusive, that is NOT more than one of the three values MUST be
>    set.

maybe "exactly one"?

>    DENY
>          A browser receiving content with this header MUST NOT display
>          this content in any frame.
>          A browser receiving content with this header MUST NOT display
>          this content in any frame from a page of different origin than
>          the content itself.

Reference ORIGIN spec?

>    ALLOW-FROM  (followed by a URI [RFC3986] of a trusted origin)
>          A browser receiving content with this header MUST NOT display
>          this content in a frame from any page with a top-level browsing
>          contex of different origin than the specified origin.  While
>          this can expose the page to risks by the trusted origin, in
>          some cases it may be necessary to allow the framing by content
>          from other domains.
>          For example: X-FRAME-OPTIONS: ALLOW-FROM:
>          https://www.domain.com/

The example needs reformatting.

>    The ALLOW-FROM URI MUST be valid.
>    Any data beyond the domain address (i.e. any data after the "/"
>    separator) is to be ignored.  And the algorithm to compare origins

authority component?

>    from [RFC6454] SHOULD be used to verify a referring page is of the
>    same origin as the content or that the referring page's origin is
>    identical with the ALLOW-FROM URI.
>    Wildcards or lists to declare multiple domains in one ALLOW-FROM
>    statement are not permitted.
>    Please note that in conflict with [RFC6454], current implementations
>    do not consider the port as a defining component of the origin.
> 2.2. Backus-Naur Form (BNF)
>    The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:
>          X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
>                                  ("ALLOW-FROM" ":" URI)

That should reference HTTPbis P1, and just define the field *value, such as:

X-Frame-Options = "DENY"
                 / "SAMEORIGIN"
                 / ( "ALLOW-FROM" OWS ":" OWS URI )
OWS = <HTTPbis P1 ref>
URI = <RFC3986 ref>

Note that this makes the keywords case-insensitive; if this is intended 
it might make sense to call it out. Otherwise, the ABNF needs to be fixed.

> 6.1. Normative References
>    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
>               Requirement Levels", BCP 14, RFC 2119, March 1997.

I'm pretty sure you need normative references for HTTP, ABNF and URI.

 > ...

Best regards, Julian