Here is my review (with my co-chair hat off):
[RFC3986] should be a Normative reference (as it is required to
parse/generate
a valid X-Frame-Options header field).
[RFC6454] is normative, because there is a SHOULD requirement to use it.
In Section 2.1:
The ALLOW-FROM URI MUST be valid.
I don't know what this mean exactly. Can you elaborate?
2.2. Backus-Naur Form (BNF)
The RFC 822 [RFC0822] EBNF of the X-Frame-Options header is:
Which makes [RFC0822] Normative.
X-Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" /
("ALLOW-FROM" ":" URI)
With URI as defined in [RFC3986]
[TBD] Or should we use the ABNF (RFC 2234) alternatively to EBNF or
in addition?
Yes, you should use RFC 5234. This probably means inserting "[WSP]" in
various
places, but I think that would be much better.
2.3.2. Browser Behaviour and Processing
To allow secure implementations, browsers MUST behave in a consistent
and reliable way.
This is self evident, IMHO, and I don't think it adds much value. How
exactly
violation or conformance to this MUST be verified? I suggest deleting
the sentence.
2.4.1. Example scenario for the ALLOW-FROM parameter
1. Inner IFRAME suggests via a querystring parameter what site it
wants to be hosted by. This can obviously be specified by an
attacker, but that's OK.
I blame lack of sleep, but can you explain this to me in more details?
5. Security Considerations
The introduction of the http header X-FRAME-OPTIONS does improve the
protection against Clickjacking, however it is not self-sufficient on
its own but MUST be used in conjunction with other security measures
like secure coding and Content Security Policy (CSP)
CSP needs an Informative reference.
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
