Re: [websec] X-Frame-Options EBNF bug at Mozilla
Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 26 February 2013 10:25 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC4C21F8A3F for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 02:25:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -94.903
X-Spam-Level:
X-Spam-Status: No, score=-94.903 tagged_above=-999 required=5 tests=[AWL=-0.340, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lk1GvzKYZONQ for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 02:25:05 -0800 (PST)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 79C8821F89DA for <websec@ietf.org>; Tue, 26 Feb 2013 02:25:04 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=BWEMrzOw4CAVzq2R3Aw2gHqMyFoxyis1uhChF+15s57Tiz6Amk1SDoALvWt7xPFoLFjCzUlEocM5TvlwGFsLF5EvYm+P0FdNmpFRhb46hULK25TFnBesQxo67yv8CSAd; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 29928 invoked from network); 26 Feb 2013 11:25:03 +0100
Received: from d1-162-57-143-118-on-nets.com (HELO ?10.8.18.138?) (118.143.57.162) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 26 Feb 2013 11:25:03 +0100
Message-ID: <512C8D7B.4000307@gondrom.org>
Date: Tue, 26 Feb 2013 18:24:59 +0800
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: bhill@paypal-inc.com
References: <370C9BEB4DD6154FA963E2F79ADC6F2E279156B0@DEN-EXDDA-S12.corp.ebay.com>
In-Reply-To: <370C9BEB4DD6154FA963E2F79ADC6F2E279156B0@DEN-EXDDA-S12.corp.ebay.com>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: julian.reschke@gmx.de, websec@ietf.org
Subject: Re: [websec] X-Frame-Options EBNF bug at Mozilla
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 10:25:05 -0000
Thanks a lot for bringing this to WG attention. It seems that I misread that point when I first wrote the draft. Actually the same is true for IE. I corrected the ABNF in the new version to reflect IE and Mozilla behavior. Best regards and thanks a lot for catching this! Tobias On 12/02/13 06:09, Hill, Brad wrote: > This bug at Mozilla was recently brought to my attention: > > https://bugzilla.mozilla.org/show_bug.cgi?id=836132 > > It seems to indicate that the specified EBNF of using a colon between "ALLOW-FROM" and the URI is not the actual behavior of most user agents that implement that functionality. > > Perhaps we should update this to reflect the predominant implementation in the field. (Internet Explorer's) > > -Brad > >> -----Original Message----- >> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On >> Behalf Of Yoav Nir >> Sent: Tuesday, January 29, 2013 5:30 AM >> To: Julian Reschke >> Cc: IETF WebSec WG >> Subject: Re: [websec] WGLC feedback for X-Frame-Options >> >> Yes. Tobias will submit a revised version soon, incorporating the WGLC >> comments. >> >> Yoav >> >> On Jan 29, 2013, at 3:20 PM, Julian Reschke <julian.reschke@gmx.de> >> wrote: >> >>> On 2012-11-06 18:25, Julian Reschke wrote: >>>> Hi there, >>>> >>>> here's my feedback from the HTTP/editorial point of view: >>>> ... >>> Just checking: is the WG still working on this draft? There doesn't seem to >> be any activity since October 2012... >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec
- [websec] X-Frame-Options EBNF bug at Mozilla Hill, Brad
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Julian Reschke
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Tobias Gondrom
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Julian Reschke
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Tobias Gondrom
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Julian Reschke