I'm not sure that invariant makes sense. As another example, it seems entirely reasonable for an HTTP page to include a copy of jQuery from an HTTPS URL.
Adam On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe <[email protected]> wrote: > Hi folks > > Consider a site at www.alice.com that wants to only be framed by their > friends at www.bob.com. > > Say, a request to https://www.alice.com might respond with a > X-Frame-Options: allow-from http://www.bob.com > > Clearly, the https://www.alice.com has the privileges to act with the > 'secure' cookie for alice.com. In this scenario, http://www.bob.com might > actually be MITM'ed by Mallory and contain malicious code. In this scenario, > does it make sense to allow http://www.bob.example to frame > https://www.alice.example? I think this is wrong behavior: a more higher > level invariant that should be maintained (at least in the newer specs :) is > that only HTTPS content has access to secure cookie privileges. > > Thus, I think the right thing to do is : > Enforce https for all the origins in the list returned in allow-from by > https://www.alice.com. Even if https://www.alice.com responds with > http://www.bob.com in its X-Frame-Options, the browser should only allow > https://www.bob.com to frame https://www.alice.com > > > I think this is even more compelling in case alice.com has enforced HSTS. > > What do others think ? > > > thanks > devdatta > > > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
