Re: [websec] X-Frame-Options EBNF bug at Mozilla
Julian Reschke <julian.reschke@gmx.de> Tue, 26 February 2013 16:37 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2CD21F8A05 for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:37:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.245
X-Spam-Level:
X-Spam-Status: No, score=-104.245 tagged_above=-999 required=5 tests=[AWL=-2.445, BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFreFRiJGBWd for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:37:35 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id EE1D221F89EE for <websec@ietf.org>; Tue, 26 Feb 2013 08:37:34 -0800 (PST)
Received: from mailout-de.gmx.net ([10.1.76.29]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0LiqoN-1UgQ1j14EX-00cus2 for <websec@ietf.org>; Tue, 26 Feb 2013 17:37:34 +0100
Received: (qmail invoked by alias); 26 Feb 2013 16:37:34 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.102]) [217.91.35.233] by mail.gmx.net (mp029) with SMTP; 26 Feb 2013 17:37:34 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19fFI0yhTVfvAhLWBUeDLJPoNvncud2A5ki+lYcIM VglXHY299B2mJJ
Message-ID: <512CE4CC.6010005@gmx.de>
Date: Tue, 26 Feb 2013 17:37:32 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: Tobias Gondrom <tgondrom@gmx.net>
References: <370C9BEB4DD6154FA963E2F79ADC6F2E279156B0@DEN-EXDDA-S12.corp.ebay.com> <512C8D7B.4000307@gondrom.org> <512CDD75.9030308@gmx.de> <512CE299.8090703@gmx.net>
In-Reply-To: <512CE299.8090703@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: websec@ietf.org
Subject: Re: [websec] X-Frame-Options EBNF bug at Mozilla
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 16:37:36 -0000
On 2013-02-26 17:28, Tobias Gondrom wrote: > On 27/02/13 00:06, Julian Reschke wrote: >> On 2013-02-26 11:24, Tobias Gondrom wrote: >>> Thanks a lot for bringing this to WG attention. >>> It seems that I misread that point when I first wrote the draft. >>> Actually the same is true for IE. >>> I corrected the ABNF in the new version to reflect IE and Mozilla >>> behavior. >>> Best regards and thanks a lot for catching this! >>> Tobias >>> ... >> >> >> See <https://bugzilla.mozilla.org/show_bug.cgi?id=836132#c19>: >> >>> Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST >>> >>> From >>> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2 >>> : >>> >>> "The values are specified as ABNF strings, and therefore are >>> case-insensitive" >>> >>> and the relevant methods in the code use >>> "[header-value].LowerCaseEqualsLiteral(...)" so they match >>> case-insensitively. >>> >>> One note, I think the spec is incorrect in stating that FF/Chrome >>> support colons in 2.2.2, Chrome has no support at all for Allow-From >>> (just my pending patch which has the same behavior as the one that >>> led to this bug), and obviously colons are not supported here either >>> (and the intent seems to be to not permit them). >> >> So I believe >> <http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2.2> >> needs to be fixed; in the best case by just removing it. > > I would be fine with removing this. > > Just for the record: >>From another reviewer/security researcher, I received on Jan-9 the > following feedback: > "IE8+ : > > X-Frame-Options: ALLOW-FROM http://example.com/ > > IETF-draft : > > X-Frame-Options: ALLOW-FROM: http://example.com/ > > IE needs no colon between "ALLOW-FROM" and uri.Firefox and Chrome accept > both." Firefox is in the process of getting fixed. > Which indicated that Firefox and Chrome would support both, which is why > I kept it in. > But in reflection, it probably does not add value to talk about all > other possible syntax form that could be supported in some browsers due > to tolerance. > ... Indeed, we should only document a single format that will work across browsers. > So I would agree with you to remove 2.2.2. > (And if until Sunday I don't hear any objections, I will do so.) > > Best regards and thanks for the feedback, Tobias Best regards, Julian
- [websec] X-Frame-Options EBNF bug at Mozilla Hill, Brad
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Julian Reschke
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Tobias Gondrom
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Julian Reschke
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Tobias Gondrom
- Re: [websec] X-Frame-Options EBNF bug at Mozilla Julian Reschke