Re: [apps-discuss] Appsdir review of draft-ietf-websec-x-frame-options-06
Martin Thomson <martin.thomson@gmail.com> Mon, 29 July 2013 11:24 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930D621F9B5F; Mon, 29 Jul 2013 04:24:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.315
X-Spam-Level:
X-Spam-Status: No, score=-2.315 tagged_above=-999 required=5 tests=[AWL=0.285, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pZmkEtiA5zQv; Mon, 29 Jul 2013 04:24:16 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 6727621F968B; Mon, 29 Jul 2013 04:24:05 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id x55so3885114wes.32 for <multiple recipients>; Mon, 29 Jul 2013 04:24:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=X55szGBycYAupnoJCbiYtsUX0/eUWoBzI6IJAZudeEc=; b=KHJZroFIr1qWxST6U1i3yEolBbH8sUM+1m/vpWlrX4fspTUIfzlxixq582xWS7mi1Z D/8VKPbr8EQFx5KO71X4XiXJv/fONoiWkKQcmG3jNlJI/U9PWuUXwLpDFDWqEuWJe7ht s99IaiDc3sGKbPGf+1D60nljSMuC/M1D/+lZ5snqtkjnlRj2Eotd4h3PuSxU2MgLNTXP JFRLTpkLNil4xR9Khpyl9AiWj+DmQg/bhy9WZVJydNLHdja03F6vA7tNoW2gxTB7IvCW +B1eZld0I/MlGqjNpNWPmq8XIyTTf/hSu/gbdzJsJ4MJWEJjsyj+tqfs6hIEOOKMYhXv zZvQ==
MIME-Version: 1.0
X-Received: by 10.194.78.110 with SMTP id a14mr42980491wjx.84.1375097044540; Mon, 29 Jul 2013 04:24:04 -0700 (PDT)
Received: by 10.194.60.46 with HTTP; Mon, 29 Jul 2013 04:24:04 -0700 (PDT)
In-Reply-To: <CABkgnnVkxNFUJ5=dEmrooAS0-aqSxk=GLQvxPTtdSuT1uvrW9g@mail.gmail.com>
References: <CABkgnnVkxNFUJ5=dEmrooAS0-aqSxk=GLQvxPTtdSuT1uvrW9g@mail.gmail.com>
Date: Mon, 29 Jul 2013 04:24:04 -0700
Message-ID: <CABkgnnXcnekbCu7Hj4V7tnmetiK1d4goX_4Mk70X-C=J9p0Guw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: IETF Apps Discuss <apps-discuss@ietf.org>, draft-ietf-websec-x-frame-options.all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Cc: The IESG <iesg@ietf.org>
Subject: Re: [apps-discuss] Appsdir review of draft-ietf-websec-x-frame-options-06
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 11:24:23 -0000
I can never get the addresses right on these things. Adding draft-related recipients. On 29 July 2013 02:37, Martin Thomson <martin.thomson@gmail.com> wrote: > I have been selected as the Applications Area Directorate reviewer for > this draft (for background on appsdir, please see > http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate > ). > > Please resolve these comments along with any other Last Call comments > you may receive. Please wait for direction from your document shepherd > or AD before posting a new version of the draft. > > Document: draft-ietf-websec-x-frame-options-06 > Title: HTTP Header Field X-Frame-Options > Reviewer: Martin Thomson > Review Date: 2013-07-29 > IETF Last Call Date: ? > IESG Telechat Date: ? > > Summary: > This draft is almost ready for publication as an Informational RFC. > > Major Issues: > > Please make the list of affected contexts explicit from the outset. > The draft initally only talks about <frame> and <iframe>. And then > Section 2.3.1 comes around and causes me to become highly confused. > At first read, I thought that 2.3.1 just wasn't clear enough about the > fact that addressing only frames and iframes is a problem. On a > second read, it seems to imply that X-Frame-Options is intended to > apply to cross-origin content of the identified forms _in addition to_ > frame and iframe. > > 2.3.2.1 says "the browser SHOULD redirect as soon as possible to a > "No-Frame" page". I don't know how to do that based on the current > text. Where does the redirect happen, what does it redirect to, > etc... I think that the intent is to say that "In place of the framed > content, the browser SHOULD render placeholder content that informs > the user that the intended content could not be framed. It MAY > include a link that opens the content in an unframed context." > > Minor Issues: > > The definition of ALLOW-FROM says that it is followed by "a URI [...] > of a trusted origin". I was initially inclined to suggest that this > be restricted to the origin serialization defined in Section 6.1 of > RFC6454, but it's clear that existing implementations accept URIs. > (And an origin happens to also be a valid URI, so that's good.) I > think that this description could be clearer. In particular, the fact > that port numbers are ignored is really important, but it's almost > hidden. > > Perhaps a reword: > > ALLOW-FROM (followed by a URI [RFC3986]) > A browser receiving content with this header MUST NOT display > this content in a frame from any page with a top-level browsing > context that has a different scheme or host from the identified URI. > > This uses a limited two-tuple form of the web origin concept [RFC6454]. > All parts of the URI aside from scheme and host are ignored. > > This is perhaps a change, because it defines the behavior of existing > implementations, but I believe that this is consistent with the intent > of the document. > > Did 2.3.1 this omit other forms of content inclusion intentionally > (IMG, SCRIPT, VIDEO, AUDIO, etc..)? Can this be explained better? > > The meta http-equiv thing is a bit of a big deal. I'm surprised that > it's hidden in the last paragraph of security considerations. Since > this is in some views a property of content, not supporting http-equiv > is a large gotcha. Please consider highlighting it. > > Nits: > Introduction: s/Thus, Thus, /Thus, /
- [apps-discuss] Appsdir review of draft-ietf-webse… Martin Thomson
- Re: [apps-discuss] Appsdir review of draft-ietf-w… Martin Thomson