On 27/02/13 00:06, Julian Reschke wrote: > On 2013-02-26 11:24, Tobias Gondrom wrote: >> Thanks a lot for bringing this to WG attention. >> It seems that I misread that point when I first wrote the draft. >> Actually the same is true for IE. >> I corrected the ABNF in the new version to reflect IE and Mozilla >> behavior. >> Best regards and thanks a lot for catching this! >> Tobias >> ... > > > See <https://bugzilla.mozilla.org/show_bug.cgi?id=836132#c19>: > >> Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST >> >> From >> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2 >> : >> >> "The values are specified as ABNF strings, and therefore are >> case-insensitive" >> >> and the relevant methods in the code use >> "[header-value].LowerCaseEqualsLiteral(...)" so they match >> case-insensitively. >> >> One note, I think the spec is incorrect in stating that FF/Chrome >> support colons in 2.2.2, Chrome has no support at all for Allow-From >> (just my pending patch which has the same behavior as the one that >> led to this bug), and obviously colons are not supported here either >> (and the intent seems to be to not permit them). > > So I believe > <http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2.2> > needs to be fixed; in the best case by just removing it.
I would be fine with removing this. Just for the record: >From another reviewer/security researcher, I received on Jan-9 the following feedback: "IE8+ : X-Frame-Options: ALLOW-FROM http://example.com/ IETF-draft : X-Frame-Options: ALLOW-FROM: http://example.com/ IE needs no colon between "ALLOW-FROM" and uri.Firefox and Chrome accept both." Which indicated that Firefox and Chrome would support both, which is why I kept it in. But in reflection, it probably does not add value to talk about all other possible syntax form that could be supported in some browsers due to tolerance. So I would agree with you to remove 2.2.2. (And if until Sunday I don't hear any objections, I will do so.) Best regards and thanks for the feedback, Tobias > > Best regards, Julian > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
