<hat="individual">
Hello dear websec fellows,
please note that following the consensus of the WG for adotion of the
drafts, David and I revised the draft-gondrom-frame-options-02 draft and
uploaded it as websec WG document: draft-ietf-websec-frame-options-00
http://www.ietf.org/id/draft-ietf-websec-frame-options-00.txt
And my apologies that this revision took so long, as I was a bit
occupied with other drafts.
Please take a read and am looking forward to your feedback.
To my knowledge there are a number of topics to be discussed about this
draft, two of them being:
1. we (the editors) removed the list of origins from the ALLOW-FROM
field, due to performance concerns with processing the origin-list. Now
it is only one URI. I am personally not entirely sure this to be the
right way, so would like to encourage discussion about this.
2. There has been some discussion whether FO (Frame-Options) should be
done in CSP instead.
In 2010/2011 there was an informal discussion about this with people
from WebAppSec with the recommendation to put in websec and it was
removed from the initial CSP version back then.
I still think that this was the right step and that FO is better done as
the successor of XFO in websec and the logical evolution step than
putting it in CSP.
My main thoughts here are:
- clear migration path from XFO to FO
- IMHO the FO function does not fit naturally with the other functions
and semantic of CSP if you look closely at CSP. And although I can sense
that it may look tempting to think about "saving http headers" and put
everything into one, I don't think this to be the right approach for FO
(nor in general).
However, I wanted to revive this discussion on the mailing-list whether
we should give up on FO and ask W3C WebAppSec to put it into CSP. One
thing I would really like to see in this discussion is to learn about
the perceived benefits from discontinuing our current approach on
Frame-Options in websec and trying to integrate it into CSP.
Btw. I will be out-of-office the next 5 days, so my apologies if I can
not answer to questions and arguments on FO immediately. I will be back
very shortly.
Best regards and looking forward to reviews and discussions.
Tobias
On 06/07/12 11:47, [email protected] wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Security Working Group of the IETF.
Title : HTTP Header Frame Options
Author(s) : David Ross
Tobias Gondrom
Filename : draft-ietf-websec-frame-options-00.txt
Pages : 9
Date : 2012-07-06
Abstract:
To improve the protection of web applications against Clickjacking
this standards defines a http response header that declares a policy
communicated from a host to the client browser whether the
transmitted content MUST NOT be displayed in frames of other pages
from different origins which are allowed to frame the content.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-websec-frame-options
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-websec-frame-options-00
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
