Re: [websec] X-Frame-Options EBNF bug at Mozilla

Julian Reschke <julian.reschke@gmx.de> Tue, 26 February 2013 16:06 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBEE421F85E0 for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:06:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.313
X-Spam-Level:
X-Spam-Status: No, score=-104.313 tagged_above=-999 required=5 tests=[AWL=-2.513, BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5Z98y+VeMo5 for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:06:16 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id CF12821F853D for <websec@ietf.org>; Tue, 26 Feb 2013 08:06:15 -0800 (PST)
Received: from mailout-de.gmx.net ([10.1.76.30]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0Lmhpd-1UkG1d4BUp-00aDay for <websec@ietf.org>; Tue, 26 Feb 2013 17:06:15 +0100
Received: (qmail invoked by alias); 26 Feb 2013 16:06:14 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.102]) [217.91.35.233] by mail.gmx.net (mp030) with SMTP; 26 Feb 2013 17:06:14 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/9nIQtTWT9IBZRIy7KDng4270+Cbw2ZsUsKocHFS lbITqbE4i5J30u
Message-ID: <512CDD75.9030308@gmx.de>
Date: Tue, 26 Feb 2013 17:06:13 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <370C9BEB4DD6154FA963E2F79ADC6F2E279156B0@DEN-EXDDA-S12.corp.ebay.com> <512C8D7B.4000307@gondrom.org>
In-Reply-To: <512C8D7B.4000307@gondrom.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: websec@ietf.org
Subject: Re: [websec] X-Frame-Options EBNF bug at Mozilla
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 16:06:16 -0000

On 2013-02-26 11:24, Tobias Gondrom wrote:
> Thanks a lot for bringing this to WG attention.
> It seems that I misread that point when I first wrote the draft.
> Actually the same is true for IE.
> I corrected the ABNF in the new version to reflect IE and Mozilla behavior.
> Best regards and thanks a lot for catching this!
> Tobias
> ...


See <https://bugzilla.mozilla.org/show_bug.cgi?id=836132#c19>:

>  Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST
>
> From http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2 :
>
> "The values are specified as ABNF strings, and therefore are case-insensitive"
>
> and the relevant methods in the code use "[header-value].LowerCaseEqualsLiteral(...)" so they match case-insensitively.
>
> One note, I think the spec is incorrect in stating that FF/Chrome support colons in 2.2.2, Chrome has no support at all for Allow-From (just my pending patch which has the same behavior as the one that led to this bug), and obviously colons are not supported here either (and the intent seems to be to not permit them).

So I believe 
<http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2.2> 
needs to be fixed; in the best case by just removing it.

Best regards, Julian