Re: [websec] X-Frame-Options EBNF bug at Mozilla

Julian Reschke <julian.reschke@gmx.de> Tue, 26 February 2013 16:37 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2CD21F8A05 for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:37:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.245
X-Spam-Level:
X-Spam-Status: No, score=-104.245 tagged_above=-999 required=5 tests=[AWL=-2.445, BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFreFRiJGBWd for <websec@ietfa.amsl.com>; Tue, 26 Feb 2013 08:37:35 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id EE1D221F89EE for <websec@ietf.org>; Tue, 26 Feb 2013 08:37:34 -0800 (PST)
Received: from mailout-de.gmx.net ([10.1.76.29]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0LiqoN-1UgQ1j14EX-00cus2 for <websec@ietf.org>; Tue, 26 Feb 2013 17:37:34 +0100
Received: (qmail invoked by alias); 26 Feb 2013 16:37:34 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.102]) [217.91.35.233] by mail.gmx.net (mp029) with SMTP; 26 Feb 2013 17:37:34 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19fFI0yhTVfvAhLWBUeDLJPoNvncud2A5ki+lYcIM VglXHY299B2mJJ
Message-ID: <512CE4CC.6010005@gmx.de>
Date: Tue, 26 Feb 2013 17:37:32 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: Tobias Gondrom <tgondrom@gmx.net>
References: <370C9BEB4DD6154FA963E2F79ADC6F2E279156B0@DEN-EXDDA-S12.corp.ebay.com> <512C8D7B.4000307@gondrom.org> <512CDD75.9030308@gmx.de> <512CE299.8090703@gmx.net>
In-Reply-To: <512CE299.8090703@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: websec@ietf.org
Subject: Re: [websec] X-Frame-Options EBNF bug at Mozilla
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 16:37:36 -0000

On 2013-02-26 17:28, Tobias Gondrom wrote:
> On 27/02/13 00:06, Julian Reschke wrote:
>> On 2013-02-26 11:24, Tobias Gondrom wrote:
>>> Thanks a lot for bringing this to WG attention.
>>> It seems that I misread that point when I first wrote the draft.
>>> Actually the same is true for IE.
>>> I corrected the ABNF in the new version to reflect IE and Mozilla
>>> behavior.
>>> Best regards and thanks a lot for catching this!
>>> Tobias
>>> ...
>>
>>
>> See <https://bugzilla.mozilla.org/show_bug.cgi?id=836132#c19>:
>>
>>>   Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST
>>>
>>> From
>>> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2
>>> :
>>>
>>> "The values are specified as ABNF strings, and therefore are
>>> case-insensitive"
>>>
>>> and the relevant methods in the code use
>>> "[header-value].LowerCaseEqualsLiteral(...)" so they match
>>> case-insensitively.
>>>
>>> One note, I think the spec is incorrect in stating that FF/Chrome
>>> support colons in 2.2.2, Chrome has no support at all for Allow-From
>>> (just my pending patch which has the same behavior as the one that
>>> led to this bug), and obviously colons are not supported here either
>>> (and the intent seems to be to not permit them).
>>
>> So I believe
>> <http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2.2>
>> needs to be fixed; in the best case by just removing it.
>
> I would be fine with removing this.
>
> Just for the record:
>>From another reviewer/security researcher, I received on Jan-9 the
> following feedback:
> "IE8+ :
>
>    X-Frame-Options: ALLOW-FROM http://example.com/
>
> IETF-draft :
>
>    X-Frame-Options: ALLOW-FROM: http://example.com/
>
> IE needs no colon between "ALLOW-FROM" and uri.Firefox and Chrome accept
> both."

Firefox is in the process of getting fixed.

> Which indicated that Firefox and Chrome would support both, which is why
> I kept it in.
> But in reflection, it probably does not add value to talk about all
> other possible syntax form that could be supported in some browsers due
> to tolerance.
> ...

Indeed, we should only document a single format that will work across 
browsers.


> So I would agree with you to remove 2.2.2.
> (And if until Sunday I don't hear any objections, I will do so.)
>
> Best regards and thanks for the feedback, Tobias

Best regards, Julian