Re: [websec] Frame-Options: Why a header and not a CSP directive?

Adam Barth <ietf@adambarth.com> Fri, 04 May 2012 16:50 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1670821E8047 for <websec@ietfa.amsl.com>; Fri, 4 May 2012 09:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F54S-AJ-pgMr for <websec@ietfa.amsl.com>; Fri, 4 May 2012 09:50:35 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id CFB1F21E804B for <websec@ietf.org>; Fri, 4 May 2012 09:50:34 -0700 (PDT)
Received: by bkty8 with SMTP id y8so2862412bkt.31 for <websec@ietf.org>; Fri, 04 May 2012 09:50:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=BYDagpCKYUVB0DzUl/o6pUXE8IrEUAOlVx/XKSM35CE=; b=juZtNNRcLwtWIjenH0SoQxpMKlfV++MnaJfyHkBH6rd3Z0dTl70wnaaHSzfCWam/F0 2gSGMGeW6Xd9RxY6V5WuabxLHQR1WMN6iAyDG7fv3AF+jRuh6l7XQeUU5c2ZFdzlVTRb V1olD1J4X6Wu+sm+/VErm5m5lIExgQGUrJ0TkBSg1Ftv3m0Od9WwVxEm21j+k1+0QEmu ijohfbtEGjLkKV8kcWvr01cX20vVr7FAhn4CW9ehGjQgNHj4nB5d9Ra8L3qrYFLybsQf 83R2wlmaXTn2nkCVpRU05iv+nezOC2AatgC32kWkBTDiRXgnu9F1j3eYMYrHatDFoCk6 FrVA==
Received: by 10.205.137.14 with SMTP id im14mr2383995bkc.137.1336150233737; Fri, 04 May 2012 09:50:33 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by mx.google.com with ESMTPS id n17sm18038757bkw.5.2012.05.04.09.50.32 (version=SSLv3 cipher=OTHER); Fri, 04 May 2012 09:50:32 -0700 (PDT)
Received: by lbbgo11 with SMTP id go11so2492069lbb.31 for <websec@ietf.org>; Fri, 04 May 2012 09:50:31 -0700 (PDT)
Received: by 10.152.111.41 with SMTP id if9mr6346976lab.19.1336150231342; Fri, 04 May 2012 09:50:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.48.229 with HTTP; Fri, 4 May 2012 09:50:01 -0700 (PDT)
In-Reply-To: <4FA38134.4000808@gmx.de>
References: <CAJE5ia_82uobXnKiWf=+hH-QYtkLJvZ+bYChD7i_rjq3vjsD+g@mail.gmail.com> <4FA38134.4000808@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 4 May 2012 09:50:01 -0700
Message-ID: <CAJE5ia8ierPg0_BSNvLs7rW4u8gmQX9=QtW8cXndYyPpFtMBzA@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQnIV97rxzWSabTQ5QIoA4Jv0Fvsk4UqDC0r9H8SO1ehkznfxn6lNVUny93dkdhrxkh6s8A2
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Frame-Options: Why a header and not a CSP directive?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 16:50:36 -0000

On Fri, May 4, 2012 at 12:11 AM, Julian Reschke <julian.reschke@gmx.de>; wrote:
> On 2012-05-04 01:58, Adam Barth wrote:
>> In http://tools.ietf.org/html/draft-gondrom-frame-options-02 we're
>> introducing a new HTTP header called Frame-Options.  Is there a
>> particular reason to create yet-another-HTTP-header for carrying this
>> security policy?  Rather than inventing a new HTTP header, we can use
>> the extensible Content-Security-Policy header.
>> ...
>
> Well, the header field already exists as "x-frame-options", so the only
> thing new here is that there's a spec, and that it's promoting a prefix-less
> name.
>
> I have no opinion on whether it should be a CSP directive, but a goal should
> be to document what's out there, even if we don't like it. In *particular*
> if it is related to security, and used in practice.

Yes, I agree that we should document the existing X-Frame-Options
header.  However, the Frame-Options header doesn't yet exist.  Rather
than introduce it, I wonder if we'd be better off making the
"unprefixed" version a CSP directive rather than an HTTP header.

Adam