Re: [websec] Acceptance of draft-gondrom-frame-options-02.txt and draft-gondrom-x-frame-options-00.txt as WebSec WG documents

Chris Weber <chris@lookout.net> Mon, 16 April 2012 18:49 UTC

Return-Path: <chris@lookout.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE11511E809D for <websec@ietfa.amsl.com>; Mon, 16 Apr 2012 11:49:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.87
X-Spam-Level:
X-Spam-Status: No, score=-1.87 tagged_above=-999 required=5 tests=[AWL=-0.729, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vcu2GYIfi1fp for <websec@ietfa.amsl.com>; Mon, 16 Apr 2012 11:49:33 -0700 (PDT)
Received: from n06.mail01.mtsvc.net (mailout08.mail01.mtsvc.net [216.70.64.26]) by ietfa.amsl.com (Postfix) with ESMTP id 3BA2311E809A for <websec@ietf.org>; Mon, 16 Apr 2012 11:49:33 -0700 (PDT)
Received: from [174.136.108.2] (port=40189 helo=[0.0.0.0]) by n06.mail01.mtsvc.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <chris@lookout.net>) id 1SJqzU-0005ZL-Ll; Mon, 16 Apr 2012 14:49:32 -0400
Message-ID: <4F8C69BB.5040409@lookout.net>
Date: Mon, 16 Apr 2012 11:49:31 -0700
From: Chris Weber <chris@lookout.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <4F8B39B9.3060304@isode.com> <4F8C52B5.60809@stpeter.im> <4F8C5FD9.50005@lookout.net> <4F8C6189.1090006@stpeter.im>
In-Reply-To: <4F8C6189.1090006@stpeter.im>
X-Enigmail-Version: 1.4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Authenticated-User: 882879 chris@lookout.net
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Acceptance of draft-gondrom-frame-options-02.txt and draft-gondrom-x-frame-options-00.txt as WebSec WG documents
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 18:49:33 -0000

On 4/16/2012 11:14 AM, Peter Saint-Andre wrote:
> Chris, just to be clear, are you objecting to acceptance of these
> documents as starting points for progression within the working group
> (i.e., do you think they are fatally flawed or not within the
> charter), or are you providing technical feedback on the assumption
> that they'll be accepted as working group items?


I think frame-options is flawed by even discussing itself as a protection against CSRF when it's primary function is to control and prevent framing.  However I do believe this is within charter, so I'm merely providing feedback on the assumption that they'll be accepted.

Best regards,
Chris Weber