Re: [websec] Document Action: 'HTTP Header Field X-Frame-Options' to Informational RFC (draft-ietf-websec-x-frame-options-12.txt)
Yoav Nir <ynir@checkpoint.com> Wed, 28 August 2013 13:19 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF3F21F90CC for <websec@ietfa.amsl.com>; Wed, 28 Aug 2013 06:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.643
X-Spam-Level:
X-Spam-Status: No, score=-10.643 tagged_above=-999 required=5 tests=[AWL=-0.044, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvcBGdo5pq1U for <websec@ietfa.amsl.com>; Wed, 28 Aug 2013 06:19:24 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 25ACB21F90A7 for <websec@ietf.org>; Wed, 28 Aug 2013 06:19:23 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r7SDJMF1014101 for <websec@ietf.org>; Wed, 28 Aug 2013 16:19:22 +0300
X-CheckPoint: {521DF8DA-8-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.173]) by IL-EX10.ad.checkpoint.com ([169.254.2.246]) with mapi id 14.02.0347.000; Wed, 28 Aug 2013 16:19:22 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: websec mailing list <websec@ietf.org>
Thread-Topic: Document Action: 'HTTP Header Field X-Frame-Options' to Informational RFC (draft-ietf-websec-x-frame-options-12.txt)
Thread-Index: AQHOo/AuFmyVdfeG2kaGO5wouz4uTpmqaEOA
Date: Wed, 28 Aug 2013 13:19:22 +0000
Message-ID: <9ABB97BC-881D-4D43-B0EE-04954B6994F3@checkpoint.com>
References: <20130828131142.9621.2653.idtracker@ietfa.amsl.com>
In-Reply-To: <20130828131142.9621.2653.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.24.31]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AD6D77F5D4684747AEE5023E162FE222@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [websec] Document Action: 'HTTP Header Field X-Frame-Options' to Informational RFC (draft-ietf-websec-x-frame-options-12.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 13:19:29 -0000
Congratulations. Thanks to all who participated in the discussion, and special thanks to the document authors who took on this onerous (especially in the last two weeks) task. Yoav On Aug 28, 2013, at 4:11 PM, The IESG <iesg-secretary@ietf.org> wrote: > The IESG has approved the following document: > - 'HTTP Header Field X-Frame-Options' > (draft-ietf-websec-x-frame-options-12.txt) as Informational RFC > > This document is the product of the Web Security Working Group. > > The IESG contact persons are Barry Leiba and Pete Resnick. > > A URL of this Internet Draft is: > http://datatracker.ietf.org/doc/draft-ietf-websec-x-frame-options/ > > > > > Technical Summary > > This informational document serves to document the existing use and > specification of the X-Frame-Options HTTP response header field. > > To improve the protection of web applications against Clickjacking, > this definition describes the X-Frame-Options HTTP response header > field that declares a policy communicated from the server to the > client browser on whether the browser may display the transmitted > content in frames that are part of other web pages. > > Review and Consensus > > In 2009 and 2010 many browser vendors introduced the use of a non- > standard HTTP header field "X-Frame-Options" to protect against > Clickjacking. There have been differences between the various > implementations which may cause security and interoperability > concerns. This draft has been produced as informational by the websec > working group to document the current use and also to function as a > baseline for the future unified standard as part of the currently > produced Content Security Policy 1.1 (by WebAppSec at the W3C) - and > to get rid of the deprecated "X-" (see RFC6648). > > The review process took sufficient time and involved a medium amount > of people with deep browser security knowledge. During the review > process no major controversies came up, which is not too surprising > as the draft is intended as informational and documenting. > > > Personnel > > Yoav Nir is the Document Shepherd. Barry Leiba is the Responsible > Area Director.