Re: [websec] Frame-Options header and intermediate frames
David Ross <dross@microsoft.com> Tue, 21 February 2012 00:18 UTC
Return-Path: <dross@microsoft.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57F5321F8601 for <websec@ietfa.amsl.com>; Mon, 20 Feb 2012 16:18:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAzmcbeQdyz5 for <websec@ietfa.amsl.com>; Mon, 20 Feb 2012 16:18:09 -0800 (PST)
Received: from TX2EHSOBE002.bigfish.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id A35E321F85F7 for <websec@ietf.org>; Mon, 20 Feb 2012 16:18:09 -0800 (PST)
Received: from mail54-tx2-R.bigfish.com (10.9.14.239) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Tue, 21 Feb 2012 00:18:05 +0000
Received: from mail54-tx2 (localhost [127.0.0.1]) by mail54-tx2-R.bigfish.com (Postfix) with ESMTP id D4793C02AA; Tue, 21 Feb 2012 00:18:04 +0000 (UTC)
X-SpamScore: -16
X-BigFish: VS-16(zzbb2dI9371I542M1432N98dKzz1202hzz8275bhz2fh2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail54-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=dross@microsoft.com; helo=TK5EX14HUBC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail54-tx2 (localhost.localdomain [127.0.0.1]) by mail54-tx2 (MessageSwitch) id 1329783482442069_24098; Tue, 21 Feb 2012 00:18:02 +0000 (UTC)
Received: from TX2EHSMHS020.bigfish.com (unknown [10.9.14.252]) by mail54-tx2.bigfish.com (Postfix) with ESMTP id 6659D2A004B; Tue, 21 Feb 2012 00:18:02 +0000 (UTC)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS020.bigfish.com (10.9.99.120) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 21 Feb 2012 00:18:01 +0000
Received: from TK5EX14MBXC240.redmond.corp.microsoft.com ([169.254.4.36]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.02.0247.005; Tue, 21 Feb 2012 00:17:56 +0000
From: David Ross <dross@microsoft.com>
To: Giorgio Maone <g.maone@informaction.com>, Adam Barth <ietf@adambarth.com>
Thread-Topic: [websec] Frame-Options header and intermediate frames
Thread-Index: Aczt143YGrgRy5sXSO+kYLVJtEB9ngAPLZ4AAADppwAAhYzC0A==
Date: Tue, 21 Feb 2012 00:17:55 +0000
Message-ID: <68291699F5EA8848B0EAC2E78480571FE01C5E@TK5EX14MBXC240.redmond.corp.microsoft.com>
References: <68291699F5EA8848B0EAC2E78480571FDF9911@TK5EX14MBXC240.redmond.corp.microsoft.com> <CAJE5ia-D+BoFd0v+PAaRPh0g03LWMX_WGeZTfQz-vUSq7h83EQ@mail.gmail.com> <4F3F623A.9060200@informaction.com>
In-Reply-To: <4F3F623A.9060200@informaction.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.71]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Eduardo' Vela <evn@google.com>, IETF WebSec WG <websec@ietf.org>, Michal Zalewski <lcamtuf@coredump.cx>
Subject: Re: [websec] Frame-Options header and intermediate frames
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 00:18:10 -0000
AllAncestors sounds good to me. David Ross dross@microsoft.com -----Original Message----- From: Giorgio Maone [mailto:g.maone@informaction.com] Sent: Saturday, February 18, 2012 12:33 AM To: Adam Barth Cc: David Ross; Eduardo' Vela; IETF WebSec WG; Michal Zalewski Subject: Re: [websec] Frame-Options header and intermediate frames On 18/02/2012 09:06, Adam Barth wrote: > On Fri, Feb 17, 2012 at 5:14 PM, David Ross<dross@microsoft.com> wrote: here's a good argument that sites attempting to avoid attacks such as phishing and clickjacking would not want to frame arbitrary content. Users really only have an easy way to make immediate and valid trust decisions about the origin of the top level page, not frames contained within those pages. But sites that frame arbitrary content do exist in the real world, for better or worse. While there are different philosophical viewpoints on cross-domain framing, there doesn't seem to be any reason to avoid creating a ValidateAllAncestors flag on Frame-Options which would instruct the browser to validate the URL of each hosting frame up to the top level. Given this, sites that frame arbitrary content could at least make use of SAMEORIGIN and ALLOW-FROM for their intended purpose. >> >> We'd like to get the intermediate frame issue documented and describe the optional ValidateAllAncestors flag in the RFC draft. > > That sounds like a reasonable way to extend the existing syntax. It's > slightly ugly Would just "AllAncestors" be clear enough? -- G
- [websec] Frame-Options header and intermediate fr… David Ross
- Re: [websec] Frame-Options header and intermediat… Adam Barth
- Re: [websec] Frame-Options header and intermediat… Giorgio Maone
- Re: [websec] Frame-Options header and intermediat… David Ross
- Re: [websec] Frame-Options header and intermediat… Tobias Gondrom