Re: [websec] WGLC for X-Frame-Options
Alexey Melnikov <alexey.melnikov@isode.com> Tue, 06 November 2012 16:08 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 212E321F89A0 for <websec@ietfa.amsl.com>; Tue, 6 Nov 2012 08:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.103
X-Spam-Level:
X-Spam-Status: No, score=-102.103 tagged_above=-999 required=5 tests=[AWL=-0.496, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsMObVYe8yKX for <websec@ietfa.amsl.com>; Tue, 6 Nov 2012 08:08:50 -0800 (PST)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6E06821F893C for <websec@ietf.org>; Tue, 6 Nov 2012 08:08:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1352218128; d=isode.com; s=selector; i=@isode.com; bh=iZn+mh1vI35DbwBdzA9IYdJERytKP3OEOwX5ICVX6Sg=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=lgN5RF2bAS4hVlmlIqj1l/S2aPh1iBNtD4AANtuN24wR+0Gq4aFLjRYT2g3ea5n68P+XiX 6GwByQQAJPFcrjCm28Iq0VAN94TzlzWaNHWUS6JK1PGf5XlGKH/HmL0TCZvMo60IdC3mmD Unlp5F9f33la2w9Z0CAlhXnQb8xLb1Q=;
Received: from [130.129.18.182] (dhcp-12b6.meeting.ietf.org [130.129.18.182]) by waldorf.isode.com (submission channel) via TCP with ESMTPA id <UJk2DgBK0seS@waldorf.isode.com>; Tue, 6 Nov 2012 16:08:48 +0000
Message-ID: <50984991.6000601@isode.com>
Date: Mon, 05 Nov 2012 23:19:45 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: IETF WebSec WG <websec@ietf.org>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com> <124AE7B2-5EB7-42E6-A4CA-F89B2AEF43F8@checkpoint.com>
In-Reply-To: <124AE7B2-5EB7-42E6-A4CA-F89B2AEF43F8@checkpoint.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 16:08:51 -0000
Here is my review (with my co-chair hat off):
[RFC3986] should be a Normative reference (as it is required to
parse/generate
a valid X-Frame-Options header field).
[RFC6454] is normative, because there is a SHOULD requirement to use it.
In Section 2.1:
The ALLOW-FROM URI MUST be valid.
I don't know what this mean exactly. Can you elaborate?
2.2. Backus-Naur Form (BNF)
The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:
Which makes [RFC0822] Normative.
X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
("ALLOW-FROM" ":" URI)
With URI as defined in [RFC3986]
[TBD] Or should we use the ABNF (RFC 2234) alternatively to EBNF or
in addition?
Yes, you should use RFC 5234. This probably means inserting "[WSP]" in
various
places, but I think that would be much better.
2.3.2. Browser Behaviour and Processing
To allow secure implementations, browsers MUST behave in a consistent
and reliable way.
This is self evident, IMHO, and I don't think it adds much value. How
exactly
violation or conformance to this MUST be verified? I suggest deleting
the sentence.
2.4.1. Example scenario for the ALLOW-FROM parameter
1. Inner IFRAME suggests via a querystring parameter what site it
wants to be hosted by. This can obviously be specified by an
attacker, but that's OK.
I blame lack of sleep, but can you explain this to me in more details?
5. Security Considerations
The introduction of the http header X-FRAME-OPTIONS does improve the
protection against Clickjacking, however it is not self-sufficient on
its own but MUST be used in conjunction with other security measures
like secure coding and Content Security Policy (CSP)
CSP needs an Informative reference.
- [websec] WGLC for X-Frame-Options Yoav Nir
- Re: [websec] WGLC for X-Frame-Options Yoav Nir
- Re: [websec] WGLC for X-Frame-Options Alexey Melnikov
- Re: [websec] WGLC for X-Frame-Options Julian Reschke
- [websec] WGLC feedback for X-Frame-Options Julian Reschke
- Re: [websec] WGLC for X-Frame-Options Hill, Brad
- Re: [websec] WGLC for X-Frame-Options Yoav Nir
- Re: [websec] WGLC for X-Frame-Options Peter Saint-Andre
- Re: [websec] WGLC feedback for X-Frame-Options Julian Reschke
- Re: [websec] WGLC feedback for X-Frame-Options Yoav Nir