[websec] X-Frame-Options EBNF bug at Mozilla

"Hill, Brad" <bhill@paypal-inc.com> Mon, 11 February 2013 22:09 UTC

Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B42CD21F8A89 for <websec@ietfa.amsl.com>; Mon, 11 Feb 2013 14:09:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.8
X-Spam-Status: No, score=-9.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id rVrJc6DLhGPl for <websec@ietfa.amsl.com>; Mon, 11 Feb 2013 14:09:52 -0800 (PST)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com []) by ietfa.amsl.com (Postfix) with ESMTP id 28B6E21F8A80 for <websec@ietf.org>; Mon, 11 Feb 2013 14:09:51 -0800 (PST)
DomainKey-Signature: s=paypalcorp; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: Accept-Language:Content-Language:X-MS-Has-Attach: X-MS-TNEF-Correlator:x-originating-ip:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=uZlJbwBbT5yXi5UTLnyLLyGlua43U0drKzInnvoi3mzsyY0HTBN7PkTl GpnNZnu1rLoGIW8fXwWU182hAy55dur3DNqr1uhGnFMat4aNqhAmkGwKq Kf2FJ+pH+lwaCZljEhr5iKY82Eyz/4cIsdtnI1IaDrLwB1KSZpcVnIhv4 k=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=paypalcorp; t=1360620592; x=1392156592; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=fSjL1srQtXSL1udTr7snlUs3dSSjx7QcO/zlLExa+TM=; b=m2LI6eZKOKDJI//lq4R5GDyl0rXBVXPKmicrDmxA1bnLoGAEw3KQLyad +iFBnJE0wY7JiRv2anC8BTNk6kXQc1Y3NZ59xBc8OZCjgaouLR23U/p1c Ikn2J+ouID9zpQdLeAotN1CVhWoyPr/3EiR6gFCDjVOQ6NRiB8JU2BlM1 M=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.84,646,1355126400"; d="scan'208";a="12765961"
Received: from den-vtenf-001.corp.ebay.com (HELO DEN-EXMHT-004.corp.ebay.com) ([]) by den-mipot-002.corp.ebay.com with ESMTP; 11 Feb 2013 14:09:51 -0800
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-004.corp.ebay.com ([fe80::a487:c570:9abc:bb59%14]) with mapi id 14.02.0318.004; Mon, 11 Feb 2013 15:09:51 -0700
From: "Hill, Brad" <bhill@paypal-inc.com>
To: Yoav Nir <ynir@checkpoint.com>, Julian Reschke <julian.reschke@gmx.de>, "Tobias Gondrom (tobias.gondrom@gondrom.org)" <tobias.gondrom@gondrom.org>
Thread-Topic: X-Frame-Options EBNF bug at Mozilla
Thread-Index: Ac4IpIq0IjFESr+DQEGnUPazAUlfLQ==
Date: Mon, 11 Feb 2013 22:09:50 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E279156B0@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Cc: IETF WebSec WG <websec@ietf.org>
Subject: [websec] X-Frame-Options EBNF bug at Mozilla
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 22:09:53 -0000

This bug at Mozilla was recently brought to my attention:


It seems to indicate that the specified EBNF of using a colon between "ALLOW-FROM" and the URI is not the actual behavior of most user agents that implement that functionality.

Perhaps we should update this to reflect the predominant implementation in the field. (Internet Explorer's)


> -----Original Message-----
> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On
> Behalf Of Yoav Nir
> Sent: Tuesday, January 29, 2013 5:30 AM
> To: Julian Reschke
> Cc: IETF WebSec WG
> Subject: Re: [websec] WGLC feedback for X-Frame-Options
> Yes. Tobias will submit a revised version soon, incorporating the WGLC
> comments.
> Yoav
> On Jan 29, 2013, at 3:20 PM, Julian Reschke <julian.reschke@gmx.de>
>  wrote:
> > On 2012-11-06 18:25, Julian Reschke wrote:
> >> Hi there,
> >>
> >> here's my feedback from the HTTP/editorial point of view:
> >> ...
> >
> > Just checking: is the WG still working on this draft? There doesn't seem to
> be any activity since October 2012...
> >
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec