Re: [websec] X-Frame-Options and SSL

Sat, 23 Jul 2011 09:28:51 -0700 

Hi devdatta,
I would agree that it would be a bad idea to for https://www.alice.com to allow being framed by http://www.bob.com as the channel to bob would not be protected. 


However, I am not sure that we must or even should prevent that 
behaviour inherently in the standard by shutting down any cross channel 
framing.



From my perspective the standard should provide the tool to secure your 
application, not necessarily limit/prevent all stupid things from 
happening. (not sure whether there might be legitimate cases for such a 
scenario).



So Frame-Options gives you the chance to declare this for your web site 
not to be framed by http://www.bob.com, but if you decide to explicitly 
do so - well maybe you have a unique business case/reasons that demand 
that and you want to accept that risk still reducing the CSRF by using 
Frame-Options.


Kind regards, Tobias



On 20/07/11 21:16, Devdatta Akhawe wrote:

Hi folks


Consider a site at www.alice.com <http://www.alice.com> that wants to 
only be framed by their friends at www.bob.com <http://www.bob.com>.



Say, a request to https://www.alice.com might respond with a 
X-Frame-Options: allow-from http://www.bob.com



Clearly, the https://www.alice.com has the privileges to act with the 
'secure' cookie for alice.com <http://alice.com>. In this scenario, 
http://www.bob.com might actually be MITM'ed by Mallory and contain 
malicious code. In this scenario, does it make sense to allow 
http://www.bob.example to frame https://www.alice.example? I think 
this is wrong behavior: a more higher level invariant that should be 
maintained (at least in the newer specs :) is that only HTTPS content 
has access to secure cookie privileges.


Thus, I think the right thing to do is :

Enforce https for all the origins in the list returned in allow-from 
by https://www.alice.com. Even if https://www.alice.com responds with 
http://www.bob.com in its X-Frame-Options, the browser should only 
allow https://www.bob.com to frame https://www.alice.com




I think this is even more compelling in case alice.com 
<http://alice.com> has enforced HSTS.


What do others think ?


thanks
devdatta




_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec


_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec























					Reply via email to