Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Mon, 19 August 2013 13:45 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79D3221F8C66 for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 06:45:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rHLtQ6cU82oA for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by ietfa.amsl.com (Postfix) with ESMTP id 9C1C011E827C for <websec@ietf.org>; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
Received: by mail-ob0-f169.google.com with SMTP id wc20so5402860obb.14 for <websec@ietf.org>; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=17sAyHyV7OPGRCzlPXRvmCenhKBXKqo+cyhtsB2vsos=; b=exAqd3teUyqdt/QwMa7ZvxUyl7MDVmbByjm4+Ss+Tekz40NC0ENdfWxPunXvhaJX/Y kU1kVA4KaRQFdIWLIdU+sSs3RE/DC++VkAvpORWggOE/vFDa4ou8iVnReVxkB/TXPnLW rqVbNAGZD3d06e/5fiA1i32TReOjRpeLxvoSelshRRF1j/FzFk/nLcXhP1/I5OsW1x4T H/wpB6mF4u0un34gZniHYRfgNe9XW5fud7EToC67ylmwMyrB65dAPSLFLbEcT7y1gcul jwGppMKgluBoVhRq7ca0QOZuoVlUQQot5lazrqLb7BfheggbKae4roI5Gy5nOEVydtZn QRoQ==
X-Gm-Message-State: ALoCoQmyE6VvRarKLr+lEacu8vrHYFDB/uaB/FlR36VQpu4BZJEnWAtgOWN6VN9XUAV18DeEokHI
MIME-Version: 1.0
X-Received: by 10.182.104.130 with SMTP id ge2mr13123793obb.6.1376919944120; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
Received: by 10.60.31.74 with HTTP; Mon, 19 Aug 2013 06:45:44 -0700 (PDT)
X-Originating-IP: [192.1.255.218]
In-Reply-To: <520FFD18.2010008@gondrom.org>
References: <20130815014121.17800.33179.idtracker@ietfa.amsl.com> <520FFD18.2010008@gondrom.org>
Date: Mon, 19 Aug 2013 09:45:44 -0400
Message-ID: <CAL02cgQoB_zToX3XgL4bPsafMumMAh6=34DUurwKh9xK9kWHjw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: multipart/alternative; boundary="089e0112cf10275ae304e44d2806"
Cc: "draft-ietf-websec-x-frame-options@tools.ietf.org" <draft-ietf-websec-x-frame-options@tools.ietf.org>, websec <websec@ietf.org>, The IESG <iesg@ietf.org>, "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 13:45:49 -0000
On Sat, Aug 17, 2013 at 6:45 PM, Tobias Gondrom <tobias.gondrom@gondrom.org>wrote: > Dear Richard, > > thanks for the review and your discusses and comments. > Answers inline. > I followed all your suggestions in version-10, except for D2. > Thanks for the review and all the best, > > Tobias > > > > On 15/08/13 02:41, Richard Barnes wrote: > > Richard Barnes has entered the following ballot position for > > draft-ietf-websec-x-frame-options-09: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-websec-x-frame-options/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > (D1) The privacy considerations make no sense to me. To whom is data > > being leaked? To the browser? To random people who send a request to a > > URI? Do you mean that X-Frame-Options leaks information about who the > > site authorizes? That's true, but also true of things like CORS. If > > this is the concern, you should recommend a mitigation that's basically > > the same as what CORS does, namely varying the value of X-Frame-Options > > based on the Referer or Origin header. > Yes. > Ok. I expanded the text and explanation of the privacy considerations > section accordingly. > > > > > (D2) It seems like this is a value that browsers might cache, to avoid > > unnecessary requests if the same page is framed in the future. If this > > is something browsers do today, please say so. > > Actually I like to push back in this case, as I don't think we should go > into implementation specific details that have no effect on the bits on > the wire nor on the effective behavior of the browser. > The X-Frame-Options header determines the behaviour for every individual > requested page regarding framing in another web page in the browser. > Whether the browser caches this information and compares the request > with an existing cache from a request from before AND if the value is > identical proceeds as before or whether the browser evaluates the > X-Frame-Options header on each request should not be specified in this > draft. > > I get this. I'm actually just asking for some clarification about what browsers do -- whether they do or don't cache X-Frame-Options settings. It seems like something that could cause problems for web site operators, so it would be helpful to know. Not looking for any normative text here. > > > > (D3) Shouldn't ALLOW-FROM be followed by an origin, not a URI? In other > > words, what does it mean to send "X-Frame-Options: ALLOW-FROM > > https://example.com/this/is/a/path?query#fragment"? > > Yes. You are right we can refine the definition to "serialized-origin" > (as a subset of URI). > Please note that according to RFC6454 we need to use "serialized-origin" > here and not origin (as origin in RFC6454 refers also to a list of > origins, which would not be acceptable here). > I adjusted the text accordingly. > > Note: From an editorial standpoint we can debate whether to use lower > case "serialized-origin" or capital "SERIALIZED-ORIGIN". RFC6454 uses > lower case. So I used that one, but I am open for either. It seems like the ABNF in this document should just import the ABNF from RF 6454. So, "serialized-origin". > > > > > (D3) In the ALLOW-FROM: what does "top level context" mean? Do you > > really mean the top level here, as opposed to the next one up? > Yes. And unfortunately with the problems you outlined in the next > sentence (which are also described in the security considerations > sections of the draft.) > Ted raised a related comment. So I guess the current text regarding > nesting and potential problem is not sufficiently clear. So I will add > further explanations. And I will add a reference to the security > considerations section which already contains a paragraph about this > problem. (i.e. the 2nd paragraph). > > > > For > > example, suppose A loads B in an iframe, and B loads C, and then C sends > > an X-Frame-Options header with ALLOW-FROM. Is the ALLOW-FROM origin > > compared to B or A? In either case, you should also note the attacks > > that remain. For example, if the answer is B, then B needs to use > > X-Frame-Options as well, or else, A can maliciously frame A within B. Or > > if the answer is A, then C is trusting A not to load any malicious > > intermediate frames B. > I added text accordingly to section 5. > (and I initiated a research query to re-confirm again that we still have > the two inconsistent browser behaviour cases here (framing page vs. > top-level frame, as I wrote in the draft). Great, that should be fine. I've gone ahead and cleared this point. > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > (C1) In the Introduction, the phrase "secure web page" would seem to > > imply that this mechanism only applies to pages delivered over HTTPS, > > which I'm pretty sure isn't true. Suggest just deleting "secure". > Ok. removed. > > > > > (C2) In Section 2.1, the sentence starting "And the algorithm" seems to > > imply that ALLOW-FROM allows SAMEORIGIN requests as well, which I think > > you actually mean something like: > > """ > > And the algorithm to compare origins from [RFC6454] SHOULD be used to > > verify that a referring page is of the same origin as the content (in the > > case of SAMEORIGIN) or that the referring page's origin is identical with > > the ALLOW-FROM URI (in the case of ALLOW-FROM). > > """ > Thank you. I changed the text to your suggestion. > > > > > _______________________________________________ > > websec mailing list > > websec@ietf.org > > https://www.ietf.org/mailman/listinfo/websec > >
- [websec] Richard Barnes' Discuss on draft-ietf-we… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Hill, Brad
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Barry Leiba
- Re: [websec] Richard Barnes' Discuss on draft-iet… Yoav Nir
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Barry Leiba
- Re: [websec] Richard Barnes' Discuss on draft-iet… Hill, Brad
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes