Re: [websec] WGLC for X-Frame-Options

Alexey Melnikov <> Tue, 06 November 2012 16:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 212E321F89A0 for <>; Tue, 6 Nov 2012 08:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.103
X-Spam-Status: No, score=-102.103 tagged_above=-999 required=5 tests=[AWL=-0.496, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AsMObVYe8yKX for <>; Tue, 6 Nov 2012 08:08:50 -0800 (PST)
Received: from ( [IPv6:2a00:14f0:e000:7c::2]) by (Postfix) with ESMTP id 6E06821F893C for <>; Tue, 6 Nov 2012 08:08:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1352218128;; s=selector;; bh=iZn+mh1vI35DbwBdzA9IYdJERytKP3OEOwX5ICVX6Sg=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=lgN5RF2bAS4hVlmlIqj1l/S2aPh1iBNtD4AANtuN24wR+0Gq4aFLjRYT2g3ea5n68P+XiX 6GwByQQAJPFcrjCm28Iq0VAN94TzlzWaNHWUS6JK1PGf5XlGKH/HmL0TCZvMo60IdC3mmD Unlp5F9f33la2w9Z0CAlhXnQb8xLb1Q=;
Received: from [] ( []) by (submission channel) via TCP with ESMTPA id <>; Tue, 6 Nov 2012 16:08:48 +0000
Message-ID: <>
Date: Mon, 05 Nov 2012 23:19:45 +0000
From: Alexey Melnikov <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: IETF WebSec WG <>
References: <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] WGLC for X-Frame-Options
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Nov 2012 16:08:51 -0000

Here is my review (with my co-chair hat off):

[RFC3986] should be a Normative reference (as it is required to 
a valid X-Frame-Options header field).

[RFC6454] is normative, because there is a SHOULD requirement to use it.

In Section 2.1:

   The ALLOW-FROM URI MUST be valid.

I don't know what this mean exactly. Can you elaborate?

2.2.  Backus-Naur Form (BNF)

    The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:

Which makes [RFC0822] Normative.

          X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
                                  ("ALLOW-FROM" ":" URI)

    With URI as defined in [RFC3986]
    [TBD] Or should we use the ABNF (RFC 2234) alternatively to EBNF or
    in addition?

Yes, you should use RFC 5234. This probably means inserting "[WSP]" in 
places, but I think that would be much better.

2.3.2.  Browser Behaviour and Processing

    To allow secure implementations, browsers MUST behave in a consistent
    and reliable way.

This is self evident, IMHO, and I don't think it adds much value. How 
violation or conformance to this MUST be verified? I suggest deleting 
the sentence.

2.4.1.  Example scenario for the ALLOW-FROM parameter

    1.  Inner IFRAME suggests via a querystring parameter what site it
        wants to be hosted by.  This can obviously be specified by an
        attacker, but that's OK.

I blame lack of sleep, but can you explain this to me in more details?

5.  Security Considerations

    The introduction of the http header X-FRAME-OPTIONS does improve the
    protection against Clickjacking, however it is not self-sufficient on
    its own but MUST be used in conjunction with other security measures
    like secure coding and Content Security Policy (CSP)

CSP needs an Informative reference.