IETF Logo Mail Archive

Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Mon, 19 August 2013 13:45 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79D3221F8C66 for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 06:45:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rHLtQ6cU82oA for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by ietfa.amsl.com (Postfix) with ESMTP id 9C1C011E827C for <websec@ietf.org>; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
Received: by mail-ob0-f169.google.com with SMTP id wc20so5402860obb.14 for <websec@ietf.org>; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=17sAyHyV7OPGRCzlPXRvmCenhKBXKqo+cyhtsB2vsos=; b=exAqd3teUyqdt/QwMa7ZvxUyl7MDVmbByjm4+Ss+Tekz40NC0ENdfWxPunXvhaJX/Y kU1kVA4KaRQFdIWLIdU+sSs3RE/DC++VkAvpORWggOE/vFDa4ou8iVnReVxkB/TXPnLW rqVbNAGZD3d06e/5fiA1i32TReOjRpeLxvoSelshRRF1j/FzFk/nLcXhP1/I5OsW1x4T H/wpB6mF4u0un34gZniHYRfgNe9XW5fud7EToC67ylmwMyrB65dAPSLFLbEcT7y1gcul jwGppMKgluBoVhRq7ca0QOZuoVlUQQot5lazrqLb7BfheggbKae4roI5Gy5nOEVydtZn QRoQ==
X-Gm-Message-State: ALoCoQmyE6VvRarKLr+lEacu8vrHYFDB/uaB/FlR36VQpu4BZJEnWAtgOWN6VN9XUAV18DeEokHI
MIME-Version: 1.0
X-Received: by 10.182.104.130 with SMTP id ge2mr13123793obb.6.1376919944120; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
Received: by 10.60.31.74 with HTTP; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
X-Originating-IP: [192.1.255.218]
In-Reply-To: <520FFD18.2010008@gondrom.org>
References: <20130815014121.17800.33179.idtracker@ietfa.amsl.com> <520FFD18.2010008@gondrom.org>
Date: Mon, 19 Aug 2013 09:45:44 -0400
Message-ID: <CAL02cgQoB_zToX3XgL4bPsafMumMAh6=34DUurwKh9xK9kWHjw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: multipart/alternative; boundary="089e0112cf10275ae304e44d2806"
Cc: "draft-ietf-websec-x-frame-options@tools.ietf.org" <draft-ietf-websec-x-frame-options@tools.ietf.org>, websec <websec@ietf.org>, The IESG <iesg@ietf.org>, "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 13:45:49 -0000

On Sat, Aug 17, 2013 at 6:45 PM, Tobias Gondrom
<tobias.gondrom@gondrom.org>wrote:

> Dear Richard,
>
> thanks for the review and your discusses and comments.
> Answers inline.
> I followed all your suggestions in version-10, except for D2.
> Thanks for the review and all the best,
>
> Tobias
>
>
>
> On 15/08/13 02:41, Richard Barnes wrote:
> > Richard Barnes has entered the following ballot position for
> > draft-ietf-websec-x-frame-options-09: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> >
> >
> > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-websec-x-frame-options/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > (D1) The privacy considerations make no sense to me.  To whom is data
> > being leaked?  To the browser?  To random people who send a request to a
> > URI?  Do you mean that X-Frame-Options leaks information about who the
> > site authorizes?  That's true, but also true of things like CORS.  If
> > this is the concern, you should recommend a mitigation that's basically
> > the same as what CORS does, namely varying the value of X-Frame-Options
> > based on the Referer or Origin header.
> Yes.
> Ok. I expanded the text and explanation of the privacy considerations
> section accordingly.
>
> >
> > (D2) It seems like this is a value that browsers might cache, to avoid
> > unnecessary requests if the same page is framed in the future.  If this
> > is something browsers do today, please say so.
>
> Actually I like to push back in this case, as I don't think we should go
> into implementation specific details that have no effect on the bits on
> the wire nor on the effective behavior of the browser.
> The X-Frame-Options header determines the behaviour for every individual
> requested page regarding framing in another web page in the browser.
> Whether the browser caches this information and compares the request
> with an existing cache from a request from before AND if the value is
> identical proceeds as before or whether the browser evaluates the
> X-Frame-Options header on each request should not be specified in this
> draft.
>
>

I get this.  I'm actually just asking for some clarification about what
browsers do -- whether they do or don't cache X-Frame-Options settings.  It
seems like something that could cause problems for web site operators, so
it would be helpful to know.  Not looking for any normative text here.



> >
> > (D3) Shouldn't ALLOW-FROM be followed by an origin, not a URI?  In other
> > words, what does it mean to send "X-Frame-Options: ALLOW-FROM
> > https://example.com/this/is/a/path?query#fragment"?
>
> Yes. You are right we can refine the definition to "serialized-origin"
> (as a subset of URI).
> Please note that according to RFC6454 we need to use "serialized-origin"
> here and not origin (as origin in RFC6454 refers also to a list of
> origins, which would not be acceptable here).
> I adjusted the text accordingly.
>
> Note: From an editorial standpoint we can debate whether to use lower
> case "serialized-origin" or capital "SERIALIZED-ORIGIN". RFC6454 uses
> lower case. So I used that one, but I am open for either.



It seems like the ABNF in this document should just import the ABNF from RF
6454.  So, "serialized-origin".



>
> >
> > (D3) In the ALLOW-FROM: what does "top level context" mean?  Do you
> > really mean the top level here, as opposed to the next one up?
> Yes. And unfortunately with the problems you outlined in the next
> sentence (which are also described in the security considerations
> sections of the draft.)
> Ted raised a related comment. So I guess the current text regarding
> nesting and potential problem is not sufficiently clear. So I will add
> further explanations. And I will add a reference to the security
> considerations section which already contains a paragraph about this
> problem. (i.e. the 2nd paragraph).
>
>
> > For
> > example, suppose A loads B in an iframe, and B loads C, and then C sends
> > an X-Frame-Options header with ALLOW-FROM.  Is the ALLOW-FROM origin
> > compared to B or A?  In either case, you should also note the attacks
> > that remain.  For example, if the answer is B, then B needs to use
> > X-Frame-Options as well, or else, A can maliciously frame A within B.  Or
> > if the answer is A, then C is trusting A not to load any malicious
> > intermediate frames B.
> I added text accordingly to section 5.
> (and I initiated a research query to re-confirm again that we still have
> the two inconsistent browser behaviour cases here (framing page vs.
> top-level frame, as I wrote in the draft).


Great, that should be fine.  I've gone ahead and cleared this point.




> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > (C1) In the Introduction, the phrase "secure web page" would seem to
> > imply that this mechanism only applies to pages delivered over HTTPS,
> > which I'm pretty sure isn't true.  Suggest just deleting "secure".
> Ok. removed.
>
> >
> > (C2) In Section 2.1, the sentence starting "And the algorithm" seems to
> > imply that ALLOW-FROM allows SAMEORIGIN requests as well, which I think
> > you actually mean something like:
> > """
> > And the algorithm to compare origins from [RFC6454] SHOULD be used to
> > verify that a referring page is of the same origin as the content (in the
> > case of SAMEORIGIN) or that the referring page's origin is identical with
> > the ALLOW-FROM URI (in the case of ALLOW-FROM).
> > """
> Thank you. I changed the text to your suggestion.
>
> >
> > _______________________________________________
> > websec mailing list
> > websec@ietf.org
> > https://www.ietf.org/mailman/listinfo/websec
>
>

v2.23.0 | Report a Bug | By Email