Re: [websec] Stephen Farrell's Yes on draft-ietf-websec-x-frame-options-09: (with COMMENT)
Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 17 August 2013 19:31 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8654D11E8209 for <websec@ietfa.amsl.com>; Sat, 17 Aug 2013 12:31:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KF4ulfgPuOR8 for <websec@ietfa.amsl.com>; Sat, 17 Aug 2013 12:31:18 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id B56E221F9C12 for <websec@ietf.org>; Sat, 17 Aug 2013 12:31:17 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=ZEaW2iQoJmFRGwKcbno9PjZczJywC338gdVbssXjWFXG4KfgkfoWdASruGmL4nIz6nlP4nc/x1+gr4r8gCE8GMFgh2EAZKZix0Dqd6tBRcJVQz0vpieBSTbq10ysrchr; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 22087 invoked from network); 17 Aug 2013 21:31:16 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 17 Aug 2013 21:31:16 +0200
Message-ID: <520FCF84.9010605@gondrom.org>
Date: Sat, 17 Aug 2013 20:31:16 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: stephen.farrell@cs.tcd.ie
References: <20130814224803.25993.58131.idtracker@ietfa.amsl.com>
In-Reply-To: <20130814224803.25993.58131.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org, iesg@ietf.org, websec-chairs@tools.ietf.org
Subject: Re: [websec] Stephen Farrell's Yes on draft-ietf-websec-x-frame-options-09: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2013 19:31:22 -0000
On 14/08/13 23:48, Stephen Farrell wrote: > Stephen Farrell has entered the following ballot position for > draft-ietf-websec-x-frame-options-09: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-websec-x-frame-options/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > (Personal opinion only, no change requested unless it > resonates with folks.) I would prefer that this not say > that NoScript impairs broswer utility. I find it fine. > > Other than that, this is a fine draft, thanks. > Stephen, personally, I use NoScript, too. But, looking at todays web applications JavaScript and frames are widely spread and many web applications would indeed be very impaired if you disable JavaScript and frames in your browser entirely. Some years ago people tried to discourage JavaScript for security sensitive applications (read "most of the web applications") and to disable JavaScript in the browser, but meanwhile we moved past that point and try to fix the security/trust models for JavaScript using CSP - which I hope gives us another chance to fix large parts of it). JavaScript functions are quite common nowadays in airline booking systems, banking, corporate websites, etc. Be it for design, client side input validation or other interactive functionality up to editing capabilities. Best regards, Tobias
- [websec] Stephen Farrell's Yes on draft-ietf-webs… Stephen Farrell
- Re: [websec] Stephen Farrell's Yes on draft-ietf-… Tobias Gondrom
- Re: [websec] Stephen Farrell's Yes on draft-ietf-… Barry Leiba