Re: [websec] Frame-Options header and intermediate frames
Tobias Gondrom <tobias.gondrom@gondrom.org> Mon, 05 March 2012 18:14 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A8221F87EE for <websec@ietfa.amsl.com>; Mon, 5 Mar 2012 10:14:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.778
X-Spam-Level:
X-Spam-Status: No, score=-96.778 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jUDSbPYgB0kF for <websec@ietfa.amsl.com>; Mon, 5 Mar 2012 10:14:17 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 9002E21F87EA for <websec@ietf.org>; Mon, 5 Mar 2012 10:14:16 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=YO6IqFFd2jc2hPnsHOG1zoOjs/5tyK9CZuSMeYL/S7M2HaU8yXMhvbnc4tk2zg0p2LpFXK0CMIn8KzJEXBNToyy5WPM3e/9bvCR/KTdeK4j5NE33kg5XuuuBe2wjJ+ON; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 16106 invoked from network); 5 Mar 2012 19:14:12 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 5 Mar 2012 19:14:12 +0100
Message-ID: <4F550274.2060408@gondrom.org>
Date: Mon, 05 Mar 2012 18:14:12 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: websec@ietf.org
X-Priority: 4 (Low)
References: <68291699F5EA8848B0EAC2E78480571FDF9911@TK5EX14MBXC240.redmond.corp.microsoft.com> <CAJE5ia-D+BoFd0v+PAaRPh0g03LWMX_WGeZTfQz-vUSq7h83EQ@mail.gmail.com> <4F3F623A.9060200@informaction.com> <68291699F5EA8848B0EAC2E78480571FE01C5E@TK5EX14MBXC240.redmond.corp.microsoft.com>
In-Reply-To: <68291699F5EA8848B0EAC2E78480571FE01C5E@TK5EX14MBXC240.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] Frame-Options header and intermediate frames
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2012 18:14:17 -0000
Hello, ok, I edited the draft accordingly. http://www.ietf.org/id/draft-gondrom-frame-options-02.txt Best regards, Tobias Ps.: and as discussed at our previous meeting, also submitted a working draft 00-version for X-Frame-Options (which is only to document status quo, while Frame-Options shall be the way going forward as discussed in our websec meeting in Paris. link: http://www.ietf.org/id/draft-gondrom-x-frame-options-00.txt) Will update both further in the next few days. On 21/02/12 00:17, David Ross wrote: > AllAncestors sounds good to me. > > David Ross > dross@microsoft.com > > -----Original Message----- > From: Giorgio Maone [mailto:g.maone@informaction.com] > Sent: Saturday, February 18, 2012 12:33 AM > To: Adam Barth > Cc: David Ross; Eduardo' Vela; IETF WebSec WG; Michal Zalewski > Subject: Re: [websec] Frame-Options header and intermediate frames > > On 18/02/2012 09:06, Adam Barth wrote: >> On Fri, Feb 17, 2012 at 5:14 PM, David Ross<dross@microsoft.com> wrote: > here's a good argument that sites attempting to avoid attacks such as phishing and clickjacking would not want to frame arbitrary content. > Users really only have an easy way to make immediate and valid trust decisions about the origin of the top level page, not frames contained within those pages. But sites that frame arbitrary content do exist in the real world, for better or worse. While there are different philosophical viewpoints on cross-domain framing, there doesn't seem to be any reason to avoid creating a ValidateAllAncestors flag on Frame-Options which would instruct the browser to validate the URL of each hosting frame up to the top level. Given this, sites that frame arbitrary content could at least make use of SAMEORIGIN and ALLOW-FROM for their intended purpose. >>> We'd like to get the intermediate frame issue documented and describe the optional ValidateAllAncestors flag in the RFC draft. >> That sounds like a reasonable way to extend the existing syntax. It's >> slightly ugly > Would just "AllAncestors" be clear enough? > -- G > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] Frame-Options header and intermediate fr… David Ross
- Re: [websec] Frame-Options header and intermediat… Adam Barth
- Re: [websec] Frame-Options header and intermediat… Giorgio Maone
- Re: [websec] Frame-Options header and intermediat… David Ross
- Re: [websec] Frame-Options header and intermediat… Tobias Gondrom