Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
Tobias Gondrom <tobias.gondrom@gondrom.org> Mon, 19 August 2013 14:44 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5C6011E8295 for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 07:44:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.361
X-Spam-Level:
X-Spam-Status: No, score=-95.361 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwx95sQ2FQEy for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 07:44:33 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 56DA611E8107 for <websec@ietf.org>; Mon, 19 Aug 2013 07:44:14 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=qiYS6B/f48mwywTk/UZTpQA3a87xkh18YkRAiCO7bPKq7ZcX64OPI4gYS5r98PF77mMJ/3jHKh0GwPUIPXNs+A5NiHCAvoeIPsZNcKtRXXc65EKz2xweacaB+easSnks; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
Received: (qmail 9704 invoked from network); 19 Aug 2013 16:44:14 +0200
Received: from port-83-236-131-2.static.qsc.de (HELO ?10.13.163.52?) (83.236.131.2) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 19 Aug 2013 16:44:13 +0200
Message-ID: <52122F3D.4010306@gondrom.org>
Date: Mon, 19 Aug 2013 16:44:13 +0200
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: rlb@ipv.sx
References: <20130815014121.17800.33179.idtracker@ietfa.amsl.com> <370C9BEB4DD6154FA963E2F79ADC6F2E27BAD2A7@DEN-EXDDA-S12.corp.ebay.com> <CAL02cgQSQWAfeZNtEwtNrbajSx8Q7ACyjZ0gEaYB8Oj0HL0jOA@mail.gmail.com> <CAL02cgRyywSoz2mhcaGc+d1eQS4gFo3RruGieXQm+wNHJLPnrg@mail.gmail.com>
In-Reply-To: <CAL02cgRyywSoz2mhcaGc+d1eQS4gFo3RruGieXQm+wNHJLPnrg@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/alternative; boundary="------------080602070809020602060503"
Cc: draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org, iesg@ietf.org, websec-chairs@tools.ietf.org
Subject: Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 14:44:37 -0000
On 19/08/13 15:46, Richard Barnes wrote: > > > > On Mon, Aug 19, 2013 at 9:38 AM, Richard Barnes <rlb@ipv.sx > <mailto:rlb@ipv.sx>> wrote: > > > > > On Fri, Aug 16, 2013 at 7:44 PM, Hill, Brad <bhill@paypal-inc.com > <mailto:bhill@paypal-inc.com>> wrote: > > Additional comments inline. > ________________________________________ > > > (D3) Shouldn't ALLOW-FROM be followed by an origin, not a URI? > In other > words, what does it mean to send "X-Frame-Options: ALLOW-FROM > https://example.com/this/is/a/path?query#fragment"? > > [Hill, Brad] Agreed. > > > Great. > > > > (D3) In the ALLOW-FROM: what does "top level context" mean? > Do you > really mean the top level here, as opposed to the next one up? > For > example, suppose A loads B in an iframe, and B loads C, and > then C sends > an X-Frame-Options header with ALLOW-FROM. Is the ALLOW-FROM > origin > compared to B or A? In either case, you should also note the > attacks > that remain. For example, if the answer is B, then B needs to use > X-Frame-Options as well, or else, A can maliciously frame A > within B. Or > if the answer is A, then C is trusting A not to load any malicious > intermediate frames B. > > [Hill, Brad] This really does mean the top/final origin value > in a frame ancestor > chain walk. Browsers have implemented X-Frame-Options to > check the > Origin context that is topmost in the window or tab. (the > _top target, > representing the full, original browsing context, not just the > immediate > parent frame) This could be clarified perhaps, but is not > incorrect. > > > OK, that's fine. Could you please just note the risk that an > intermediate frame in a nested scenario could do bad things? For > example, in the Security Considerations: > """ > When SAMEORIGIN or ALLOW-FROM values are used, there is some > residual risk in nested framing scenarios. For example, suppose > that A loads B in an iframe; B loads C; and C sends an > X-Frame-Options header with the value "ALLOW-FROM A". The browser > will allow this setup, because the ALLOW-FROM origin sent by C > matches the top-level origin. However, the intermediate framing > page B may still be able to perform clickjacking attacks against > A. Thus, sites using this mechanism should keep in mind that by > emitting an X-Frame-Options header with value SAMEORIGIN or > ALLOW-FROM, they are not only granting permission to the indicated > origin (the same origin, or the ALLOW-FROM origin), but also to > any origins included as frames within that origin. > """ > > > Update: Feel free to ignore this suggestion (or steal text if you > think it's helpful). I think Tobias is on the right track with what > he suggested. That's what I get for responding to email in > chronological order :) > > --Ricahrd Dear Richard, no problem, happens to me, too. Synchronous and asynchronous processing. ;-) I will keep the new revised wording in version-10 as is. Thanks, Tobias > > > > > > Thanks, > --Richard > > > > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] Richard Barnes' Discuss on draft-ietf-we… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Hill, Brad
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Barry Leiba
- Re: [websec] Richard Barnes' Discuss on draft-iet… Yoav Nir
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Barry Leiba
- Re: [websec] Richard Barnes' Discuss on draft-iet… Hill, Brad
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes
- Re: [websec] Richard Barnes' Discuss on draft-iet… Tobias Gondrom
- Re: [websec] Richard Barnes' Discuss on draft-iet… Richard Barnes