On 18/02/2012 09:06, Adam Barth wrote:
On Fri, Feb 17, 2012 at 5:14 PM, David Ross<[email protected]> wrote:
here's a good argument that sites attempting to avoid attacks such as
phishing and clickjacking would not want to frame arbitrary content.
Users really only have an easy way to make immediate and valid trust
decisions about the origin of the top level page, not frames contained
within those pages. But sites that frame arbitrary content do exist in
the real world, for better or worse. While there are different
philosophical viewpoints on cross-domain framing, there doesn't seem to
be any reason to avoid creating a ValidateAllAncestors flag on
Frame-Options which would instruct the browser to validate the URL of
each hosting frame up to the top level. Given this, sites that frame
arbitrary content could at least make use of SAMEORIGIN and ALLOW-FROM
for their intended purpose.
We'd like to get the intermediate frame issue documented and describe the
optional ValidateAllAncestors flag in the RFC draft.
That sounds like a reasonable way to extend the existing syntax. It's
slightly ugly
Would just "AllAncestors" be clear enough?
-- G
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
