IETF Logo Mail Archive

Re: [websec] WGLC for X-Frame-Options

Yoav Nir <ynir@checkpoint.com> Wed, 31 October 2012 08:04 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6E921F86E8 for <websec@ietfa.amsl.com>; Wed, 31 Oct 2012 01:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cE5FlUTzTi6o for <websec@ietfa.amsl.com>; Wed, 31 Oct 2012 01:04:45 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 6D46A21F86DE for <websec@ietf.org>; Wed, 31 Oct 2012 01:04:45 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q9V84haV022753 for <websec@ietf.org>; Wed, 31 Oct 2012 10:04:43 +0200
X-CheckPoint: {5090D937-B-1B221DC2-2FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 31 Oct 2012 10:04:42 +0200
Received: from il-ex01.ad.checkpoint.com ([194.29.34.26]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Wed, 31 Oct 2012 10:04:42 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Date: Wed, 31 Oct 2012 10:04:43 +0200
Thread-Topic: [websec] WGLC for X-Frame-Options
Thread-Index: Ac23PmGElApaX6j1RIe6FweDt2lS+g==
Message-ID: <124AE7B2-5EB7-42E6-A4CA-F89B2AEF43F8@checkpoint.com>
References: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
In-Reply-To: <D418C856-1FA9-4FA3-805D-6A44042B5A36@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Subject: Re: [websec] WGLC for X-Frame-Options
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 08:04:46 -0000

Hi all

Don't forget to review and comment the X-Frame-Options draft.

Here's my review (no hats)

Informational documents do not specify standards. The boilerplate says so:
   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

 I suggest in the abstract changing "... this standard defines" to "... this document describes"


The abstract is a little hard to read. Suggested text:
OLD:
   To improve the protection of web applications against Clickjacking
   this standard defines an http response header that declares a policy
   communicated from a host to the client browser on whether the browser
   must not display the transmitted content in frames of other web
   pages.  This drafts serves to document the existing use and
   specification of X-Frame-Options.
NEW:
   To improve the protection of web applications against Clickjacking,
   this document describes an http response header that declares a policy
   communicated from the server to the client browser on whether the browser
   may display the transmitted content in frames that are part of other web
   pages.  This drafts serves to document the existing use and
   specification of X-Frame-Options.


Section 1: the draft is not going to be replaced, but hopefully, the header is. 
OLD:
                                                 This draft is to
   document the current use of X-Frame-Options header and shall in the
   future be replaced by the Frame-Options [FRAME-OPTIONS] standard.
NEW:
                                                 This draft documents
   the current use of the X-Frame-Options header, which shall in the
   future be replaced by the Frame-Options [FRAME-OPTIONS] standards-
   based header.
   

Section 2. I don't think you should have a MUST NOT after 'whether'. Also, the capitalization seems to indicate normative language, while what you are actually describing are the semantics of the header.
OLD:
   The X-Frame-Options HTTP response header indicates a policy whether a
   browser MUST NOT allow to render a page in a <frame> or <iframe> .
   Hosts can declare this policy in the header of their HTTP responses
   to prevent clickjacking attacks, by ensuring that their content is
   not embedded into other pages or frames.
NEW:
   The X-Frame-Options HTTP response header indicates a policy on 
   whether the browser should render the transmitted resource within a 
   <frame> or <iframe>. Servers can declare this policy in the header of 
   their HTTP responses to prevent clickjacking attacks, by ensuring 
   that their content is not embedded into other pages or frames.
   
Section 2.1: s/NOT more than one of the three values MUST be/exactly one of the three values MUST be/
Also, to avoid the line break in the middle of the example header, please break after "For example:" under ALLOW_FROM

Section 2.2: I think you're defining "Frame-Options". Don't forget the "X-" on the right side of the equals sign.

RFC 822 has been obsoleted twice. The latest is 5322, although the actual syntax is in 5234, so maybe that's the one you should reference.

Yoav

v2.14.0 | Report a Bug | By Email