IETF Logo Mail Archive

Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Mon, 19 August 2013 15:42 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBFD321F93BF for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 08:42:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.872
X-Spam-Level:
X-Spam-Status: No, score=-2.872 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nDg0jN-daeb for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 08:42:14 -0700 (PDT)
Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by ietfa.amsl.com (Postfix) with ESMTP id A3F9E11E8259 for <websec@ietf.org>; Mon, 19 Aug 2013 08:42:14 -0700 (PDT)
Received: by mail-oa0-f54.google.com with SMTP id o6so6241825oag.41 for <websec@ietf.org>; Mon, 19 Aug 2013 08:42:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=HSPq66vpCUSCb9mfU0cjHwo/GhP3CRO8fNpEuBBIVnA=; b=VA0GBtcaq2zRoGJE0GkJDqQOZqQwglKTKXtcITMwBYGNFeqGgALDv/84UAxRWGvwkQ Zaqp5bO1Wmbau8Rg8PP8fWbBtPcYbhAThNdcWghT3GhI/4ShO+3IzGxXPII5BNRAme76 ndvKm9i5sOq1A93zFywaAKnUc40johQNtdHxZvC642sSts4XYjJTvKaoiocUGI4Q3t/8 fjHVHocTG1UChyWszy0jEBGH6hcJIyc12m14kzWBpDQL6qtHIrN3O6P1ayNcRorZv8yq vUEyCAT4v7UPa6GDoPTzzDyA/uu67PxTjcqOd0fQk2XPJeynzM6bh9r18Djpb3R8w75K 8WpA==
X-Gm-Message-State: ALoCoQl9fEXT/aIN/dNEds+stjNpH5p3NfWDfkMRFbESOeJyVl6nBluuzr1MYunppBk2k5te3oo0
MIME-Version: 1.0
X-Received: by 10.182.236.103 with SMTP id ut7mr13799896obc.3.1376926933771; Mon, 19 Aug 2013 08:42:13 -0700 (PDT)
Received: by 10.60.31.74 with HTTP; Mon, 19 Aug 2013 08:42:13 -0700 (PDT)
X-Originating-IP: [192.1.255.218]
In-Reply-To: <52122EAD.8010503@gondrom.org>
References: <20130815014121.17800.33179.idtracker@ietfa.amsl.com> <520FFD18.2010008@gondrom.org> <CALaySJJLJyHL8ZiWcgqO8n-MdHrkdJ3XRni7Axb4NSLkh2_v6A@mail.gmail.com> <CAL02cgT=8GOWo2ROLpvRaKuW=_Wb=qPEE=wwHPsqSWfkvk4NRw@mail.gmail.com> <52122EAD.8010503@gondrom.org>
Date: Mon, 19 Aug 2013 11:42:13 -0400
Message-ID: <CAL02cgRjSEhA7WKLnue1fELFeh4aN4ZT_J6GVCW-iGXnWXvAFQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: multipart/alternative; boundary="001a11c30e50c4f4f404e44ec880"
Cc: "draft-ietf-websec-x-frame-options@tools.ietf.org" <draft-ietf-websec-x-frame-options@tools.ietf.org>, Barry Leiba <barryleiba@computer.org>, websec <websec@ietf.org>, The IESG <iesg@ietf.org>, "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 15:42:19 -0000

On Mon, Aug 19, 2013 at 10:41 AM, Tobias Gondrom <tobias.gondrom@gondrom.org
> wrote:

>  On 19/08/13 15:48, Richard Barnes wrote:
>
>
>
>
> On Sun, Aug 18, 2013 at 1:58 AM, Barry Leiba <barryleiba@computer.org>wrote:
>
>>  > (D2) It seems like this is a value that browsers might cache, to avoid
>>> > unnecessary requests if the same page is framed in the future.  If this
>>> > is something browsers do today, please say so.
>>>
>>> Actually I like to push back in this case, as I don't think we should go
>>> into implementation specific details that have no effect on the bits on
>>> the wire nor on the effective behavior of the browser.
>>> The X-Frame-Options header determines the behaviour for every individual
>>> requested page regarding framing in another web page in the browser.
>>> Whether the browser caches this information and compares the request
>>> with an existing cache from a request from before AND if the value is
>>> identical proceeds as before or whether the browser evaluates the
>>> X-Frame-Options header on each request should not be specified in this
>>> draft.
>>
>>
>>   I'll note also that this is particularly the case because this is
>> documenting something that exists, but that isn't recommended for
>> implementation.  If this were a PS that we were recommending for new
>> implementations, it might make more sense to talk about how to do caching
>> for better implementations.
>>
>>  Barry
>>
>
>  I understand.  Caching is just another aspect of existing implementation
> behavior that I think should be documented.
>
>  Of course, I may be off base here.  If nobody does it, and people think
> it's patently obvious that you never would, then I could clear.
>
>  --Richard
>
>
> Richard,
>
> in short: I think, we really don't need and in fact should not discuss
> caching of the existing implementations in this draft.
>
> Some info fyi:
> caching has only very limited (or no) benefit here. Because the browser
> has to check for every http-request of the resource whether the
> X-Frame-Options header has been set and then act accordingly. It is also a
> very simple check.
>
> And consider as a page itself might be dynamic, the header can change with
> it, too.
>
> As mentioned in my answer before the only mini advantage of caching might
> be that the browser sees the header is still the same as before (with a
> simple TRUE/FALSE regex) and then doesn't have to evaluate the ruleset
> again e.g. if ALLOW-FROM is set if you already did so in your previous
> call.
> But nearly all of the X-Frame-Options requests are DENY or SAMEORIGIN in
> which case the comparison of the header with the previous one would not be
> much cheaper than to just run the regex rule for the header itself.
>
> And also, as outlined in section 2.3.2.3., servers may generate
> X-Frame-Options header responses depending on the request.
> Example case: Consider that we have only one serialized-origin in the
> ALLOW-FROM directive. Now imagine a user has multiple pages open in his
> browser tabs with one of web page 1 from domain A and the second of web
> page 2 from domain B both frame the same page from domain C with the
> ALLOW-FROM directive. In that case the page needs to reply to both requests
> with different X-Frame-Options headers, the first pointing to origin A, the
> second to origin B.
> But then many implementations don't support the ALLOW-FROM directive....
>
> So to summarize my answer: we really don't need and in fact should not
> discuss caching of the existing implementations.
>
> All the best, Tobias
>

Again, I'm not looking for an analysis of the merits here, just what
current browsers do.  It looks like Firefox doesn't cache anything [1], but
I don't know about other browsers.  If anyone does, then this document
should warn people.  If there are no known instances of caching, I'll just
clear.

In a related vein, the code below demonstrates that at least Firefox *will*
accept a URI with ALLOW-FROM, and (correctly) do the comparison based on
the origin of that URI.  If other browsers do this, then with regard to
(D3), it seems this document should probably say that the header *syntax*
allows a URI, but the *comparison* is done based on the origin of the URI
(Section 4 of RFC 6454).

Thanks,
--Richard

[1] <
http://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDSURIContentListener.cpp#l361
>

v2.23.0 | Report a Bug | By Email