Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
"Hill, Brad" <bhill@paypal-inc.com> Tue, 17 July 2012 23:32 UTC
Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557CA11E80EC for <websec@ietfa.amsl.com>; Tue, 17 Jul 2012 16:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Level:
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lm9rvSLaFDuU for <websec@ietfa.amsl.com>; Tue, 17 Jul 2012 16:32:36 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id 5E27511E80EA for <websec@ietf.org>; Tue, 17 Jul 2012 16:32:36 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=akgKX9rcW41UqX/7DG+tCtG8X8ymlUUyJqgCgIh0wovMcl7js+eI2d8O rWeqYzc4kgtaYcZ4kvTI33d45uWEZg7nziZtNsspBwwQADtGaWUL5ml9u ouGIZdhBjupVshP;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1342568005; x=1374104005; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=l708h4AJQZb5P89i271SsHjD6TRyje/JRw7J42AKu5Q=; b=w4rfYFTwHiMvjMDAsAWUsEYVMEIePtl8j2P4vqEjBglELUFqVhj+FjWa MuzbMLoZw337M1gHcBxJSkkdesBszR+h/A71GEe/VQZ7Yfk+VP5BVyJ3U p317rqBBhc34BxY;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.77,606,1336374000"; d="scan'208";a="8698855"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-EXMHT-004.corp.ebay.com) ([10.101.112.213]) by den-mipot-001.corp.ebay.com with ESMTP; 17 Jul 2012 16:33:25 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-004.corp.ebay.com ([fe80::a487:c570:9abc:bb59%14]) with mapi id 14.02.0298.004; Tue, 17 Jul 2012 17:33:16 -0600
From: "Hill, Brad" <bhill@paypal-inc.com>
To: David Ross <dross@microsoft.com>, =JeffH <Jeff.Hodges@KingsMountain.com>, IETF WebSec WG <websec@ietf.org>
Thread-Topic: [websec] Coordinating Frame-Options and CSP UI Safety directives
Thread-Index: AQHNYI6lkz8Gk35PQYOw0F4CVEc1fpcsMs4AgAH0c3A=
Date: Tue, 17 Jul 2012 23:33:16 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E187BA8@DEN-EXDDA-S12.corp.ebay.com>
References: <4FFF6C0C.7010404@KingsMountain.com> <9B5348748B708948989B17CC0AEA3DD004936E@SN2PRD0310MB395.namprd03.prod.outlook.com>
In-Reply-To: <9B5348748B708948989B17CC0AEA3DD004936E@SN2PRD0310MB395.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.245.27.243]
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: +fybItlSPMqEarikoOoI7A==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 23:32:37 -0000
Dave, What's the case for the "NoAncestors" behavior? Is it just a performance optimization? I'm a little bit concerned that walking the full ancestors stack is going to become quite important as more sites start using constructs like seamless, sandboxed iframes to display untrusted content. Thanks, Brad > -----Original Message----- > From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On > Behalf Of David Ross > Sent: Monday, July 16, 2012 10:55 AM > To: =JeffH; IETF WebSec WG > Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety > directives > > In the interest of bloat as measured in bits, in this case it makes sense to > optimize for (2), reducing header value bloat, even if this is at the expense of > (1), reducing header name bloat. I was worried that with CSP we can't > achieve on (2). But if we can specify the ABNF as you suggest below, that > solves the problem. > > I also would like to see the inclusion of the AllAncestors flag as you suggest > below. Or if it makes more sense here, a "NoAncestors" flag. > > Dave > > -----Original Message----- > From: =JeffH [mailto:Jeff.Hodges@KingsMountain.com] > Sent: Thursday, July 12, 2012 5:30 PM > To: David Ross; IETF WebSec WG > Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety > directives > > thanks for your thoughts Dave, > > > My concern is mostly around the degree to which a move to CSP might > > complicate or stall the process. > > by this I presume you mean the process of producing a spec for a > standardized "frame-options" (i.e., the successor to "x-frame-options"). > > I don't think leveraging CSP as a framework, per se, would necessarily slow > this down. > > > I'd also prefer not to see additional use > cases pop up (eg: click fraud > prevention) that just were never in scope > before. > > I think it's reasonable to discuss whether the "frame-options" policy directive > (aka "frame-ancestors", "embed-ancestors") should be specified as a part of > the nascent "UI Safety directives" spec (in W3C WebAppSec), or the CSP 1.1 > spec (in W3C WebAppSec), or as a stand-alone spec. > > > > I think that w.r.t. header bloat, > > Ah, so there's two aspects to "header bloat" in this discussion.. > > 1. "header bloat" in relation to possibly defining yet another HTTP header > field to convey a security policy, i.e. a stand-alone "frame-options" header > field. > > 2. "header value bloat" in terms of having a header field into which server > operators may feel obliged to cram a huge list of items (i.e., origins). > > From a high-level perspective, casting "frame-options" as a CSP directive > works towards addressing (1). > > > > the most sensible approach is to only allow one origin to be specified. > > And this statement is addressing (2). > > > > CSP by-design facilitates the use of multiple origins. > > However, the ABNF of any particular CSP directive can be crafted in order to > allow only one origin to be specified as a value, e.g. like so.. > > directive-name = "frame-options" > directive-value = host-source > > [ where host-source is defined as.. > > host-source = [ scheme "://" ] host [ port ] > ] > > > As we've discussed w/Frame-Options, there is a design pattern to > make > the more basic single-origin approach functional. > > understood. > > (fwiw, I'd term what you're calling a "design pattern" as a "implementation > and deployment technique") > > > > With regard to obsolescence of X-FRAME-OPTIONS, it's easy to specify > exactly > > what happens in the FRAME-OPTIONS spec. I don't see that CSP inherently > > improves on that but I may be missing something there. > > regardless of which specification vehicle we use for the "frame-options" > policy > directive, we'll be able to denote (in some fashion) that it supersedes the old > "x-frame-options" header. (this is going to be somewhat messy in any case) > > > > The advantage I see of bringing FRAME-OPTIONS into CSP is that it makes > CSP > > more comprehensive. But I suspect there are plenty of other header- > related > > security features that aren't defined by CSP (eg: the origin header, cookie > > security). > > well, of course CSP doesn't encompass "everything" and isn't intended to. > But we > certainly should be carefully considering consolidating policy directive > conveyance as appropriate, and the "frame-options" (aka "frame-ancestors", > "embed-ancestors") notion seems to fall reasonably within the "content > security > policy" space -- a key aspect being that it is regarding a particular resource > representation (as I presently understand it). > > > > Finally, as Brad pointed out in the rosetta stone thread, Frame-Options > > provides the flexibility to perform only a top level origin check as opposed > > to a full ancestor check. (Specified via the "AllAncestors" flag.) > > Well, the "AllAncestors" flag can certainly be added to a CSP-based > "frame-options" policy directive. e.g. by defining a new "keyword-source" of > 'all-ancestors'. > > =JeffH > > > > > > > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] Coordinating Frame-Options and CSP UI Sa… Hill, Brad
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Hill, Brad
- Re: [websec] Coordinating Frame-Options and CSP U… =JeffH
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… Hill, Brad
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… Thomas Roessler
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth