Re: [websec] Frame-Options header and intermediate frames

Mon, 05 Mar 2012 10:14:22 -0800 

Hello,
ok, I edited the draft accordingly.
http://www.ietf.org/id/draft-gondrom-frame-options-02.txt
Best regards, Tobias
Ps.: and as discussed at our previous meeting, also submitted a working draft 00-version for X-Frame-Options (which is only to document status quo, while Frame-Options shall be the way going forward as discussed in our websec meeting in Paris. link: http://www.ietf.org/id/draft-gondrom-x-frame-options-00.txt) Will update both further in the next few days. 



On 21/02/12 00:17, David Ross wrote:

AllAncestors sounds good to me.

David Ross
[email protected]

-----Original Message-----
From: Giorgio Maone [mailto:[email protected]]
Sent: Saturday, February 18, 2012 12:33 AM
To: Adam Barth
Cc: David Ross; Eduardo' Vela; IETF WebSec WG; Michal Zalewski
Subject: Re: [websec] Frame-Options header and intermediate frames

On 18/02/2012 09:06, Adam Barth wrote:

On Fri, Feb 17, 2012 at 5:14 PM, David Ross<[email protected]>   wrote:

here's a good argument that sites attempting to avoid attacks such as phishing 
and clickjacking would not want to frame arbitrary content.
Users really only have an easy way to make immediate and valid trust decisions 
about the origin of the top level page, not frames contained within those 
pages.  But sites that frame arbitrary content do exist in the real world, for 
better or worse.  While there are different philosophical viewpoints on 
cross-domain framing, there doesn't seem to be any reason to avoid creating a 
ValidateAllAncestors flag on Frame-Options which would instruct the browser to 
validate the URL of each hosting frame up to the top level.  Given this, sites 
that frame arbitrary content could at least make use of SAMEORIGIN and 
ALLOW-FROM for their intended purpose.

We'd like to get the intermediate frame issue documented and describe the 
optional ValidateAllAncestors flag in the RFC draft.

That sounds like a reasonable way to extend the existing syntax.  It's
slightly ugly

Would just "AllAncestors" be clear enough?
-- G



_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec


_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to