Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
"Hill, Brad" <bhill@paypal-inc.com> Fri, 16 August 2013 21:53 UTC
Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 858CA11E815B; Fri, 16 Aug 2013 14:53:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDbbBPIjefjZ; Fri, 16 Aug 2013 14:52:56 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id 8325A11E80EA; Fri, 16 Aug 2013 14:52:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=@paypal-inc.com; q=dns/txt; s=paypalcorp; t=1376689972; x=1408225972; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=8Sc7FM7Kznm0RGhtJjNZdQ50yL3xx3xv2m1s6y1WYoc=; b=udsxAhbkpBp6Wf1ThcCVyUFtCiMA0lFo68HsyHhpjpJ/0Cafqt3Q4x59 PoC/y3zlGROUBVVLOrmALIkOqUZGvszkZRYovdWO8mcIuXJk28OjbRa8e TLB/0wlRC/oa9SpbdSYqRVgd0r/BoBEsNnTEqQU50GlfRSO7euZsxvZwv s=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.89,897,1367996400"; d="scan'208";a="20106958"
Received: from den-vteml-001.corp.ebay.com (HELO DEN-EXMHT-003.corp.ebay.com) ([10.101.112.212]) by den-mipot-001.corp.ebay.com with ESMTP; 16 Aug 2013 14:52:51 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-003.corp.ebay.com ([fe80::55d3:9d86:3fc8:dbf4%14]) with mapi id 14.03.0123.003; Fri, 16 Aug 2013 15:52:50 -0600
From: "Hill, Brad" <bhill@paypal-inc.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>, "barryleiba@computer.org" <barryleiba@computer.org>, "turners@ieca.com" <turners@ieca.com>
Thread-Topic: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Thread-Index: AQHOmQvZvhjSxObzHEuQHwRVbSMHKJmVTMaAgAMWhLA=
Date: Fri, 16 Aug 2013 21:52:50 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27BACF3D@DEN-EXDDA-S12.corp.ebay.com>
References: <20130814161444.6218.82572.idtracker@ietfa.amsl.com> <CALaySJJ18izJmD34XGvZSOpY2BgReOeH3KGi+3ZZATo5DpoT=A@mail.gmail.com> <520BB341.3050209@gondrom.org>
In-Reply-To: <520BB341.3050209@gondrom.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.245.27.241]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned den1
Cc: "draft-ietf-websec-x-frame-options@tools.ietf.org" <draft-ietf-websec-x-frame-options@tools.ietf.org>, "websec@ietf.org" <websec@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 21:53:02 -0000
From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of Tobias Gondrom Sent: Wednesday, August 14, 2013 9:42 AM To: barryleiba@computer.org; turners@ieca.com Cc: draft-ietf-websec-x-frame-options@tools.ietf.org; websec@ietf.org; iesg@ietf.org; websec-chairs@tools.ietf.org Subject: Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT) On 14/08/13 17:30, Barry Leiba wrote: It's interesting to note that this draft says there's a problem with folks not checking the origins of the entire ancestor tree of names of the framing resource - but then doesn't say that sounds like a good idea do it. I can see the argument that might be made that this draft is just documenting what's done now, but shouldn't we take the opportunity to do more and recommend something along the lines of "The entire ancestor tree of names of the framing resource SHOULD be checked to mitigate the risk of attacks in multiple-nested scenarios" or something like that? It seems that that should be work for the W3C folks who are working on the successor mechanism. This really *is* just meaning to document what's in use now, warts and all. Barry I agree with Barry. (And we gave according input to WebAppSec at W3C when we handed over the goal for CSP1.1.) Best regards, Tobias ----------------- And the ancestor walking behavior is what we have specified in the successor at W3C. -Brad Hill
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Barry Leiba
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- [websec] Sean Turner's Discuss on draft-ietf-webs… Sean Turner
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Hill, Brad
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Sean Turner