The invariant I am talking about is more comparable to an https page including jquery with an http URL, something afaik is considered not safe and blocked by browsers.
-devdatta On 20 July 2011 13:24, Adam Barth <[email protected]> wrote: > I'm not sure that invariant makes sense. As another example, it seems > entirely reasonable for an HTTP page to include a copy of jQuery from > an HTTPS URL. > > Adam > > > On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe <[email protected]> > wrote: > > Hi folks > > > > Consider a site at www.alice.com that wants to only be framed by their > > friends at www.bob.com. > > > > Say, a request to https://www.alice.com might respond with a > > X-Frame-Options: allow-from http://www.bob.com > > > > Clearly, the https://www.alice.com has the privileges to act with the > > 'secure' cookie for alice.com. In this scenario, http://www.bob.commight > > actually be MITM'ed by Mallory and contain malicious code. In this > scenario, > > does it make sense to allow http://www.bob.example to frame > > https://www.alice.example? I think this is wrong behavior: a more higher > > level invariant that should be maintained (at least in the newer specs :) > is > > that only HTTPS content has access to secure cookie privileges. > > > > Thus, I think the right thing to do is : > > Enforce https for all the origins in the list returned in allow-from by > > https://www.alice.com. Even if https://www.alice.com responds with > > http://www.bob.com in its X-Frame-Options, the browser should only allow > > https://www.bob.com to frame https://www.alice.com > > > > > > I think this is even more compelling in case alice.com has enforced > HSTS. > > > > What do others think ? > > > > > > thanks > > devdatta > > > > > > > > _______________________________________________ > > websec mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/websec > > > > >
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
