Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Yoav Nir <ynir@checkpoint.com> Sun, 18 August 2013 15:09 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D53911E8125; Sun, 18 Aug 2013 08:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.557
X-Spam-Level:
X-Spam-Status: No, score=-10.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oij7oQH2eApm; Sun, 18 Aug 2013 08:09:36 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id CBC5511E8124; Sun, 18 Aug 2013 08:09:35 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r7IF9FIW015573; Sun, 18 Aug 2013 18:09:16 +0300
X-CheckPoint: {5210E39B-14-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Sun, 18 Aug 2013 18:09:14 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Sean Turner <turners@ieca.com>
Thread-Topic: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Thread-Index: AQHOmQlsFXmWJxTQ/kGarKEYKdLs8pma5XOA
Date: Sun, 18 Aug 2013 15:09:14 +0000
Message-ID: <DE1E1196-CDF4-4D29-8ADD-F8DAE914B5E9@checkpoint.com>
References: <20130814161444.6218.82572.idtracker@ietfa.amsl.com>
In-Reply-To: <20130814161444.6218.82572.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.83]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11fba70b736665cbac9b37499c89475d4a6803f027
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5392B4D554CD8D4FA9D126915475616F@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<draft-ietf-websec-x-frame-options@tools.ietf.org>" <draft-ietf-websec-x-frame-options@tools.ietf.org>, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, "<websec-chairs@tools.ietf.org>" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2013 15:09:42 -0000
On Aug 14, 2013, at 7:14 PM, Sean Turner <turners@ieca.com> wrote: > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > It's interesting to note that this draft says there's a problem with > folks not checking the origins of the entire ancestor tree of names of > the framing resource - but then doesn't say that sounds like a good idea > do it. I can see the argument that might be made that this draft is just > documenting what's done now, but shouldn't we take the opportunity to do > more and recommend something along the lines of "The entire ancestor tree > of names of the framing resource SHOULD be checked to mitigate the risk > of attacks in multiple-nested scenarios" or something like that? Hi Sean. The text has changed in version -10. There are still no RFC 2119 words there and no recommendations to browser vendors (as we take those to be immovable objects (the implementation, not the vendors)), but the recommendations to web developers have been changed from "should be aware" to "should make sure". Since we are documenting a given situation, which we hope will be changed by the CSP work, and since web developers cannot ignore the status quo (when *is* a good time to stop targetting IE8?), does this text change satisfy you? OLD: For example, if a resource on origin A embeds untrusted content from origin B, that untrusted content can embed another resource from origin A with an X-Frame-Options: SAMEORIGIN policy and that check would pass if the user agent only verifies the top-level browsing context. Therefore web developers should be aware that embedding content from other sites can leave their web pages vulnerable to clickjacking even if the X-Frame-Options header is used. NEW: a. If the browser implementation evaluates based on the origins of the framed page and the framing page: Suppose a web page A (from origin 1) embeds a web page B (from origin 2) in a frame or iframe which in turn embeds web page C (from origin 2) using the x-frame-options header in a frame. In this case web page B needs to use X-Frame-Options as well, or else a malicious page A could frame page B and with that indirectly also page C. Therefore web developers should make sure that all pages from an origin that is allowed to frame a given resource web page C should also use X-Frame-Options or otherwise risk exposing web page C indirectly to Clickjacking attacks. And so forth recursively until the top-level browsing- context (i.e. most outer frame) is reached. b. If the browser implementation evaluates based on the origin of the framed page and the top-level browsing-context (i.e. most outer frame): If a resource from origin A embeds untrusted content from origin B, that untrusted content can embed another resource from origin A with an X-Frame-Options: SAMEORIGIN policy and that check would pass if the user agent only verifies the top-level browsing context. Therefore web developers should be aware that embedding content from other sites can leave their web pages vulnerable to clickjacking even if the X-Frame-Options header is used. Yoav
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Barry Leiba
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- [websec] Sean Turner's Discuss on draft-ietf-webs… Sean Turner
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Hill, Brad
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Sean Turner