IETF Logo Mail Archive

Re: [websec] WGLC for X-Frame-Options

Julian Reschke <julian.reschke@gmx.de> Tue, 06 November 2012 16:26 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E711321F8A0F for <websec@ietfa.amsl.com>; Tue, 6 Nov 2012 08:26:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kf6FubZaQxK for <websec@ietfa.amsl.com>; Tue, 6 Nov 2012 08:26:10 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 066BF21F8A12 for <websec@ietf.org>; Tue, 6 Nov 2012 08:26:09 -0800 (PST)
Received: (qmail invoked by alias); 06 Nov 2012 16:26:08 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp069) with SMTP; 06 Nov 2012 17:26:08 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+psz9bf8Cpiz4SNoPEWKimE6ZaTCjmtU4qY5Y/l6 pk8RlNge1AmF+3
Message-ID: <50993A1E.1010205@gmx.de>
Date: Tue, 06 Nov 2012 17:26:06 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com> <124AE7B2-5EB7-42E6-A4CA-F89B2AEF43F8@checkpoint.com> <50984991.6000601@isode.com>
In-Reply-To: <50984991.6000601@isode.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 16:26:11 -0000

On 2012-11-06 00:19, Alexey Melnikov wrote:
> Here is my review (with my co-chair hat off):
>
> [RFC3986] should be a Normative reference (as it is required to
> parse/generate
> a valid X-Frame-Options header field).
>
> [RFC6454] is normative, because there is a SHOULD requirement to use it.
>
> In Section 2.1:
>
>    The ALLOW-FROM URI MUST be valid.
>
> I don't know what this mean exactly. Can you elaborate?
>
> 2.2.  Backus-Naur Form (BNF)
>
>     The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:
>
> Which makes [RFC0822] Normative.
>
>           X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
>                                   ("ALLOW-FROM" ":" URI)
>
>     With URI as defined in [RFC3986]
>     [TBD] Or should we use the ABNF (RFC 2234) alternatively to EBNF or
>     in addition?
>
> Yes, you should use RFC 5234. This probably means inserting "[WSP]" in
> various
> places, but I think that would be much better.
> ...

Almost.

You should reference HTTPbis Part 1, and, in particular, *only* define 
the ABNF for the field value.

Best regards, Julian

v2.23.0 | Report a Bug | By Email