Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 14 August 2013 17:56 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE7E21E80C7 for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 10:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8LF+SBPKC5Ze for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 10:56:47 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 49CAD21E80DB for <websec@ietf.org>; Wed, 14 Aug 2013 10:56:42 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=CGQmPcEldj5jTZ31lUJIRKW4U95fnDYRCwezH5m8iprYD58LCReGNGGmuqn6733x57AoTxd71fJ8Q9hSBCLZIrZttXIAh9BnL5hCUA45nkaYF9cfl1KFpURYtsd/CcNN; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 17828 invoked from network); 14 Aug 2013 19:56:38 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 14 Aug 2013 19:56:38 +0200
Message-ID: <520BC4D5.40401@gondrom.org>
Date: Wed, 14 Aug 2013 18:56:37 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: ynir@checkpoint.com, turners@ieca.com
References: <20130814161444.6218.82572.idtracker@ietfa.amsl.com> <296E0D02-A1FB-4050-9DF6-06C60199AB32@checkpoint.com>
In-Reply-To: <296E0D02-A1FB-4050-9DF6-06C60199AB32@checkpoint.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org, iesg@ietf.org, websec-chairs@tools.ietf.org
Subject: Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 17:56:47 -0000
On 14/08/13 17:55, Yoav Nir wrote: > On Aug 14, 2013, at 7:14 PM, Sean Turner <turners@ieca.com> wrote: > >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> It's interesting to note that this draft says there's a problem with >> folks not checking the origins of the entire ancestor tree of names of >> the framing resource - but then doesn't say that sounds like a good idea >> do it. I can see the argument that might be made that this draft is just >> documenting what's done now, but shouldn't we take the opportunity to do >> more and recommend something along the lines of "The entire ancestor tree >> of names of the framing resource SHOULD be checked to mitigate the risk >> of attacks in multiple-nested scenarios" or something like that? > The charter mandate was to just document. I think advise to web masters might be in scope, but advise for browser makers (for example, how to harmonize the implementations) is not. See also my reply to Ted's email. >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I'd ask about how RFC 6648 applies to this, but I bet this header was out >> long before the drafts that lead to RFC 6648. > 3-4 years before Peter's first draft. Yes the header was there long before 6648. But we refer to 6648 in the draft. > >> s1 (penultimate paragraph): r/script/Javascript ? > Any script. Flash can do scripting. Agree with Yoav. Though the main use case is Javascript. I would suggest to keep "script" here. > >> s4.1: Is Figure 1 missing or is that the registration template? ;) Yes, Figure 1 is the template. I did it in form of a template to maintain static formating and xml2rfc generates the "Figure 1" at the bottom automatically. I guess this can be mitigated by the RFC-Editor later. >> >> s5: >> r/all kinds of these attack vectors/these kind of attack vectors >> r/, ...)/) No. The correction would change the meaning of the sentence. (to be clear it does help against many of the attack vectors, just not all...) >> >> Appendix A: Is this a guarantee that x-frame-options/frame-options will >> be supported henceforth until the end of time in those browsers? >> Basically, I'm not sure Appendix A is needed. Obviously it is not a guarantee that x-frame-options shall be supported henceforth until the end of time. In fact the opposite is true: we hope that one day it will be replaced by CSP1.1. However, people in the WG felt it would be good to document the current use/implementations of X-Frame-Options in this draft (though I don't remember whether there were any strong opinions on that bit). >> >> >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Barry Leiba
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- [websec] Sean Turner's Discuss on draft-ietf-webs… Sean Turner
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Hill, Brad
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Sean Turner