Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Sean Turner <turners@ieca.com> Mon, 19 August 2013 22:37 UTC
Return-Path: <turners@ieca.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFA7F11E81A6 for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 15:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.795
X-Spam-Level:
X-Spam-Status: No, score=-101.795 tagged_above=-999 required=5 tests=[AWL=0.470, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id disRXBPZkggA for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 15:37:46 -0700 (PDT)
Received: from gateway15.websitewelcome.com (gateway15.websitewelcome.com [67.18.88.8]) by ietfa.amsl.com (Postfix) with ESMTP id 542A611E8182 for <websec@ietf.org>; Mon, 19 Aug 2013 15:37:41 -0700 (PDT)
Received: by gateway15.websitewelcome.com (Postfix, from userid 5007) id 4B6E534288712; Mon, 19 Aug 2013 17:37:37 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway15.websitewelcome.com (Postfix) with ESMTP id 33C88342886C6 for <websec@ietf.org>; Mon, 19 Aug 2013 17:37:37 -0500 (CDT)
Received: from [96.231.225.44] (port=63866 helo=thunderfish.local) by gator3286.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1VBY4u-0003oY-P0; Mon, 19 Aug 2013 17:37:36 -0500
Message-ID: <52129E2F.1010700@ieca.com>
Date: Mon, 19 Aug 2013 18:37:35 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <20130814161444.6218.82572.idtracker@ietfa.amsl.com> <DE1E1196-CDF4-4D29-8ADD-F8DAE914B5E9@checkpoint.com>
In-Reply-To: <DE1E1196-CDF4-4D29-8ADD-F8DAE914B5E9@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [96.231.225.44]:63866
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 20
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Cc: "<draft-ietf-websec-x-frame-options@tools.ietf.org>" <draft-ietf-websec-x-frame-options@tools.ietf.org>, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, "<websec-chairs@tools.ietf.org>" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Sean Turner's Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 22:37:52 -0000
This works for me I cleared. Thanks! spt On 8/18/13 11:09 AM, Yoav Nir wrote: > > On Aug 14, 2013, at 7:14 PM, Sean Turner <turners@ieca.com> wrote: > >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> It's interesting to note that this draft says there's a problem with >> folks not checking the origins of the entire ancestor tree of names of >> the framing resource - but then doesn't say that sounds like a good idea >> do it. I can see the argument that might be made that this draft is just >> documenting what's done now, but shouldn't we take the opportunity to do >> more and recommend something along the lines of "The entire ancestor tree >> of names of the framing resource SHOULD be checked to mitigate the risk >> of attacks in multiple-nested scenarios" or something like that? > > Hi Sean. The text has changed in version -10. There are still no RFC 2119 words there and no recommendations to browser vendors (as we take those to be immovable objects (the implementation, not the vendors)), but the recommendations to web developers have been changed from "should be aware" to "should make sure". Since we are documenting a given situation, which we hope will be changed by the CSP work, and since web developers cannot ignore the status quo (when *is* a good time to stop targetting IE8?), does this text change satisfy you? > > OLD: > For example, if a resource on origin A embeds > untrusted content from origin B, that untrusted content can embed > another resource from origin A with an X-Frame-Options: SAMEORIGIN > policy and that check would pass if the user agent only verifies the > top-level browsing context. Therefore web developers should be aware > that embedding content from other sites can leave their web pages > vulnerable to clickjacking even if the X-Frame-Options header is > used. > > NEW: > a. If the browser implementation evaluates based on the origins of > the framed page and the framing page: > Suppose a web page A (from origin 1) embeds a web page B (from > origin 2) in a frame or iframe which in turn embeds web page C > (from origin 2) using the x-frame-options header in a frame. In > this case web page B needs to use X-Frame-Options as well, or > else a malicious page A could frame page B and with that > indirectly also page C. Therefore web developers should make > sure that all pages from an origin that is allowed to frame a > given resource web page C should also use X-Frame-Options or > otherwise risk exposing web page C indirectly to Clickjacking > attacks. And so forth recursively until the top-level browsing- > context (i.e. most outer frame) is reached. > > b. If the browser implementation evaluates based on the origin of > the framed page and the top-level browsing-context (i.e. most > outer frame): > If a resource from origin A embeds untrusted content from origin > B, that untrusted content can embed another resource from origin > A with an X-Frame-Options: SAMEORIGIN policy and that check would > pass if the user agent only verifies the top-level browsing > context. Therefore web developers should be aware that embedding > content from other sites can leave their web pages vulnerable to > clickjacking even if the X-Frame-Options header is used. > > Yoav > >
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Barry Leiba
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- [websec] Sean Turner's Discuss on draft-ietf-webs… Sean Turner
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Ted Lemon
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Tobias Gondrom
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Hill, Brad
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Yoav Nir
- Re: [websec] Sean Turner's Discuss on draft-ietf-… Sean Turner