Re: [websec] WGLC for X-Frame-Options

"Hill, Brad" <> Thu, 08 November 2012 19:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2013721F8679 for <>; Thu, 8 Nov 2012 11:50:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UJnQPVRtDmj1 for <>; Thu, 8 Nov 2012 11:50:42 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E445721F8AEA for <>; Thu, 8 Nov 2012 11:50:41 -0800 (PST)
DomainKey-Signature: s=paypalcorp;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-Transfer-Encoding:MIME-Version: X-CFilter; b=ja+tDA67Wa5bAGXJU59F4Fhdewt7o3qk+HEL8r/sgmj0uFOPiBsp5fyT rUtMxbpECYSPaPkZ+B5uYhHaeLZSg9I9+xwgccuNomyEYSjyS2RnIvD/F dwym4HxK49+5hJbFhukgJmoe6PBUB+c7JIaSzLi4RPpD+MJ0VdSZz3qBS c=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=paypalcorp; t=1352404242; x=1383940242; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=bdUXhRxu+KEsb/SuWz/ZsbgkPRXBAMGtTGx7xP+qwkU=; b=fL1talGm1HP1Tm2ZgpDNGWyEZ6nC0hmPIu33hga8NWZj+nNJpTH9pez+ N8y1nCnLSGEzX2IZPjy6K5K8UlhOXcN2GPaZ3KWpZ/SscHPw1n1DgxvH5 3EgyBBuTXSdZWxGpDknWZY/pQIEjK6HbZuuQGn949jzTyEW9y9GGagHFY w=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.80,739,1344236400"; d="scan'208";a="11224835"
Received: from (HELO ([]) by with ESMTP; 08 Nov 2012 11:50:41 -0800
Received: from ([fe80::40c1:9cf7:d21e:46c]) by ([fe80::cbe:ffa5:17f0:a24a%14]) with mapi id 14.02.0318.004; Thu, 8 Nov 2012 12:50:40 -0700
From: "Hill, Brad" <>
To: Yoav Nir <>, IETF WebSec WG <>
Thread-Topic: WGLC for X-Frame-Options
Thread-Index: Ac2xb0zTHb33hMtRQwuRaMJzUgzEDQMeTzPQ
Date: Thu, 08 Nov 2012 19:50:40 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Subject: Re: [websec] WGLC for X-Frame-Options
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Nov 2012 19:50:43 -0000

In "2.3.1.  Enable HTML content from other domains", the object tag is mentioned in addition to frame and iframe.  This list should also include the applet and embed tags, although user agent behavior may not be consistent on this.

In "5. Security Considerations", it should be mentioned that current implementations do not check the entire ancestor tree of the protected resource, and this may expose the resource to attack in multiply-nested scenarios.  For example, if a resource on origin A embeds untrusted content from origin B, that untrusted content can embed another resource from origin A with an X-Frame-Options: SAMEORIGIN policy and that check will pass if the user agent only verifies the top-level browsing context.

It should also probably be mentioned that X-Frame-Options MUST be sent as an HTTP header and is explicitly ignored by user agents when declared with a meta http-equiv tag.

-Brad Hill

> -----Original Message-----
> From: [] On Behalf
> Of Yoav Nir
> Sent: Tuesday, October 23, 2012 6:40 PM
> To: IETF WebSec WG
> Subject: [websec] WGLC for X-Frame-Options
> Hi all
> This is to initiate WGLC for the X-Frame-Options draft (not to be confused
> with the Frame-Options draft).
> Please go to,
> read the draft and send comments.
> As usual, we would very much like to hear comments about clarity,
> thoroughness and applicability. Since this draft documents existing behavior,
> rather than prescribing future behavior, we would especially like to hear from
> people familiar with current implementations that support the X-Frame-
> Option header about whether the draft accurately describes the behavior of
> those implementations.
> WGLC is usually for two weeks. However, the following two weeks include an
> IETF meeting, so I am extending this period to a little over three weeks. WGLC
> will end on Friday, November 16th. Please send your comments early, so that
> we might use our session in Atlanta to discuss issues that come up.
> Yoav
> _______________________________________________
> websec mailing list