Hi folks Consider a site at www.alice.com that wants to only be framed by their friends at www.bob.com.
Say, a request to https://www.alice.com might respond with a X-Frame-Options: allow-from http://www.bob.com Clearly, the https://www.alice.com has the privileges to act with the 'secure' cookie for alice.com. In this scenario, http://www.bob.com might actually be MITM'ed by Mallory and contain malicious code. In this scenario, does it make sense to allow http://www.bob.example to frame https://www.alice.example? I think this is wrong behavior: a more higher level invariant that should be maintained (at least in the newer specs :) is that only HTTPS content has access to secure cookie privileges. Thus, I think the right thing to do is : Enforce https for all the origins in the list returned in allow-from by https://www.alice.com. Even if https://www.alice.com responds with http://www.bob.com in its X-Frame-Options, the browser should only allow https://www.bob.com to frame https://www.alice.com I think this is even more compelling in case alice.com has enforced HSTS. What do others think ? thanks devdatta
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
