IETF Logo Mail Archive

Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Mon, 19 August 2013 13:48 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE6AE11E8286 for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 06:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.845
X-Spam-Level:
X-Spam-Status: No, score=-2.845 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OG+0VG2vPgWc for <websec@ietfa.amsl.com>; Mon, 19 Aug 2013 06:48:42 -0700 (PDT)
Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) by ietfa.amsl.com (Postfix) with ESMTP id C9DEE11E8283 for <websec@ietf.org>; Mon, 19 Aug 2013 06:48:40 -0700 (PDT)
Received: by mail-ob0-f171.google.com with SMTP id tb18so5409691obb.16 for <websec@ietf.org>; Mon, 19 Aug 2013 06:48:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=gAPCdRK4reUyMigkNjMf39HRmBKtn9Yz7nY/gCykDAw=; b=nhsdvA/Li6Hz5hPCLZ6jNNV/qF9sL9TiwNQ2F/uoUcPRpG7qlKhExDY5D+nqt0qVWq xb2h4WApQk7KBTz8ImaNryEkQt9St8oOOx9itrcUfoWYRfu03v3/7zLRkAbdHpgmlRCx QZKjd6yYvT5aDMB1x1UbUTUgnOtuQTH7W2slkVLJIFLEURq+Pdf7qp5fa5ZBK4uYyxvK vcCpTTbsE5cgMF2k/JRyYM4e7TO7H+DuO6mS9f+Y4nJHU8bf4zL4rwVZjipXKKv/vK4x +o2aURILcwcPi/m7xHRk6McNQVFnZ20GXj7mSkJI5TgmaKTIvdLxeWul8Q/ZyB3o9srC /MRA==
X-Gm-Message-State: ALoCoQm5yAXSKGRkSEe8+frB3/IEmba4E2W1awCKfbR07C15LETa8lOn798NJ+qzwkR3NO9UpEwW
MIME-Version: 1.0
X-Received: by 10.60.96.169 with SMTP id dt9mr13089103oeb.27.1376920119284; Mon, 19 Aug 2013 06:48:39 -0700 (PDT)
Received: by 10.60.31.74 with HTTP; Mon, 19 Aug 2013 06:48:39 -0700 (PDT)
X-Originating-IP: [192.1.255.218]
In-Reply-To: <CALaySJJLJyHL8ZiWcgqO8n-MdHrkdJ3XRni7Axb4NSLkh2_v6A@mail.gmail.com>
References: <20130815014121.17800.33179.idtracker@ietfa.amsl.com> <520FFD18.2010008@gondrom.org> <CALaySJJLJyHL8ZiWcgqO8n-MdHrkdJ3XRni7Axb4NSLkh2_v6A@mail.gmail.com>
Date: Mon, 19 Aug 2013 09:48:39 -0400
Message-ID: <CAL02cgT=8GOWo2ROLpvRaKuW=_Wb=qPEE=wwHPsqSWfkvk4NRw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: multipart/alternative; boundary="089e0117601f98268404e44d325a"
Cc: "draft-ietf-websec-x-frame-options@tools.ietf.org" <draft-ietf-websec-x-frame-options@tools.ietf.org>, "websec@ietf.org" <websec@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Richard Barnes' Discuss on draft-ietf-websec-x-frame-options-09: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 13:48:48 -0000

On Sun, Aug 18, 2013 at 1:58 AM, Barry Leiba <barryleiba@computer.org>wrote:

> > (D2) It seems like this is a value that browsers might cache, to avoid
>> > unnecessary requests if the same page is framed in the future.  If this
>> > is something browsers do today, please say so.
>>
>> Actually I like to push back in this case, as I don't think we should go
>> into implementation specific details that have no effect on the bits on
>> the wire nor on the effective behavior of the browser.
>> The X-Frame-Options header determines the behaviour for every individual
>> requested page regarding framing in another web page in the browser.
>> Whether the browser caches this information and compares the request
>> with an existing cache from a request from before AND if the value is
>> identical proceeds as before or whether the browser evaluates the
>> X-Frame-Options header on each request should not be specified in this
>> draft.
>
>
>  I'll note also that this is particularly the case because this is
> documenting something that exists, but that isn't recommended for
> implementation.  If this were a PS that we were recommending for new
> implementations, it might make more sense to talk about how to do caching
> for better implementations.
>
> Barry
>

I understand.  Caching is just another aspect of existing implementation
behavior that I think should be documented.

Of course, I may be off base here.  If nobody does it, and people think
it's patently obvious that you never would, then I could clear.

--Richard

v2.23.0 | Report a Bug | By Email