idnits 2.17.1 

draft-hodges-websec-framework-reqs-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  == There are 4 instances of lines with non-RFC2606-compliant FQDNs in the
     document.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (Jul 2012) is 4293 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'I-D.draft-ietf-websec-strict-transport-sec-11' is
     mentioned on line 302, but not defined

  == Unused Reference: '28' is defined on line 921, but no explicit reference
     was found in the text

  == Unused Reference: '30' is defined on line 929, but no explicit reference
     was found in the text

  == Unused Reference: 'I-D.ietf-websec-strict-transport-sec' is defined on
     line 992, but no explicit reference was found in the text

  -- Possible downref: Non-RFC (?) normative reference: ref. '0'

  -- Possible downref: Non-RFC (?) normative reference: ref. '1'

  -- Possible downref: Non-RFC (?) normative reference: ref. '2'

  -- Possible downref: Non-RFC (?) normative reference: ref. '3'

  -- Possible downref: Non-RFC (?) normative reference: ref. '4'

  -- Possible downref: Non-RFC (?) normative reference: ref. '5'

  -- Possible downref: Non-RFC (?) normative reference: ref. '6'

  ** Obsolete normative reference: RFC 5246 (ref. '7') (Obsoleted by RFC 8446)

  -- Possible downref: Non-RFC (?) normative reference: ref. '8'

  -- Possible downref: Non-RFC (?) normative reference: ref. '9'

  -- Possible downref: Non-RFC (?) normative reference: ref. '10'

  -- Possible downref: Non-RFC (?) normative reference: ref. '11'

  -- Possible downref: Non-RFC (?) normative reference: ref. '12'

  -- Possible downref: Non-RFC (?) normative reference: ref. '13'

  -- Possible downref: Non-RFC (?) normative reference: ref. '14'

  -- Possible downref: Non-RFC (?) normative reference: ref. '15'

  -- Possible downref: Non-RFC (?) normative reference: ref. '16'

  -- Possible downref: Non-RFC (?) normative reference: ref. '17'

  -- Possible downref: Non-RFC (?) normative reference: ref. '18'

  -- Possible downref: Non-RFC (?) normative reference: ref. '19'

  -- Possible downref: Non-RFC (?) normative reference: ref. '20'

  -- Possible downref: Non-RFC (?) normative reference: ref. '21'

  -- Possible downref: Non-RFC (?) normative reference: ref. '22'

  -- Possible downref: Non-RFC (?) normative reference: ref. '23'

  -- Possible downref: Non-RFC (?) normative reference: ref. '24'

  -- Possible downref: Non-RFC (?) normative reference: ref. '25'

  -- Possible downref: Non-RFC (?) normative reference: ref. '26'

  -- Possible downref: Non-RFC (?) normative reference: ref. '27'

  -- Possible downref: Non-RFC (?) normative reference: ref. '28'

  -- Possible downref: Non-RFC (?) normative reference: ref. '29'

  -- Possible downref: Non-RFC (?) normative reference: ref. '30'

  -- Possible downref: Non-RFC (?) normative reference: ref. '31'

  -- Possible downref: Non-RFC (?) normative reference: ref. '33'

  -- Possible downref: Non-RFC (?) normative reference: ref. '34'

  -- Possible downref: Non-RFC (?) normative reference: ref. '35'

  -- Possible downref: Non-RFC (?) normative reference: ref. '36'

  -- Possible downref: Non-RFC (?) normative reference: ref. '37'

  -- Possible downref: Non-RFC (?) normative reference: ref. '38'

  -- Possible downref: Non-RFC (?) normative reference: ref. '39'

  -- Possible downref: Non-RFC (?) normative reference: ref. '40'

  -- Possible downref: Non-RFC (?) normative reference: ref. '41'

  -- Possible downref: Non-RFC (?) normative reference: ref. '42'

  -- Possible downref: Non-RFC (?) normative reference: ref. '43'

  == Outdated reference: A later version (-14) exists of
     draft-ietf-websec-strict-transport-sec-11


     Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 43 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                          J. Hodges
3	Internet-Draft                                                    PayPal
4	Intended status: Standards Track                                Jul 2012
5	Expires: January 2, 2013

7	       Web Security Framework: Problem Statement and Requirements
8	                 draft-hodges-websec-framework-reqs-02

10	Abstract

12	   Web-based malware and attacks are proliferating rapidly on the
13	   Internet.  New web security mechanisms are also rapidly growing in
14	   number, although in an incoherent fashion.  This document provides a
15	   brief overview of the present situation and the various seemingly
16	   piece-wise approaches being taken to mitigate the threats.  It then
17	   provides an overview of requirements as presently being expressed by
18	   the community in various online and face-to-face discussions.

20	Status of this Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at http://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on January 2, 2013.

37	Copyright Notice

39	   Copyright (c) 2012 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (http://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
55	     1.1.  Where to Discuss This Draft  . . . . . . . . . . . . . . .  4
56	   2.  Document Conventions . . . . . . . . . . . . . . . . . . . . .  4
57	   3.  Overall Constraints  . . . . . . . . . . . . . . . . . . . . .  5
58	   4.  Overall Requirements . . . . . . . . . . . . . . . . . . . . .  6
59	   5.  Attacks and Threats to Address . . . . . . . . . . . . . . . .  8
60	     5.1.  Attacks  . . . . . . . . . . . . . . . . . . . . . . . . .  8
61	     5.2.  Threats  . . . . . . . . . . . . . . . . . . . . . . . . .  8
62	   6.  Use Cases  . . . . . . . . . . . . . . . . . . . . . . . . . .  9
63	   7.  Detailed Functional Requirements . . . . . . . . . . . . . . . 10
64	   8.  Extant Policies to Coalesce  . . . . . . . . . . . . . . . . . 18
65	   9.  Example Concrete Approaches  . . . . . . . . . . . . . . . . . 19
66	   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 19
67	   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
68	   12. Informative References . . . . . . . . . . . . . . . . . . . . 23
69	   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23

71	1.  Introduction

73	   Over the past few years, we have seen a proliferation of AJAX-based
74	   web applications (AJAX being shorthand for asynchronous JavaScript
75	   and XML), as well as Rich Internet Applications (RIAs), based on so-
76	   called Web 2.0 technologies.  These applications bring both luscious
77	   eye-candy and convenient functionality--e.g. social networking--to
78	   their users, making them quite compelling.  At the same time, we are
79	   seeing an increase in attacks against these applications and their
80	   underlying technologies [1].  The latter include (but aren't limited
81	   to) Cross-Site-Request Forgery (CSRF) -based attacks [2], content-
82	   sniffing cross-site-scripting (XSS) attacks [3], attacks against
83	   browsers supporting anti-XSS policies [4], clickjacking attacks [5],
84	   malvertising attacks [6], as well as man-in-the-middle (MITM) attacks
85	   against "secure" (e.g.  Transport Layer Security (TLS/SSL)-based [7])
86	   web sites along with distribution of the tools to carry out such
87	   attacks (e.g. sslstrip) [8].

89	   During the same time period we have also witnessed the introduction
90	   of new web security indicators, techniques, and policy communication
91	   mechanisms sprinkled throughout the various layers of the Web and
92	   HTTP.  We have a new cookie security flag called HTTPOnly [9].  We
93	   have the anti-clickjacking X-Frame-Options HTTP header [10], the
94	   Strict-Transport-Security HTTP header [11], anti-CSRF headers (e.g.
95	   Origin) [12], an anti-sniffing header (X-Content-Type-Options:
96	   nosniff) [13], various approaches to content restrictions [14] [15]
97	   and notably Mozilla Content Security Policy (CSP; conveyed via a HTTP
98	   header) [16], the W3C's Cross-Origin Resource Sharing (CORS; also
99	   conveyed via a HTTP header) [17], as well as RIA security controls
100	   such as the crossdomain.xml file used to express a site's Adobe Flash
101	   security policy [18].  There's also the Application Boundaries
102	   Enforcer (ABE) [19], included as a part of NoScript [20], a popular
103	   Mozilla Firefox security extension.  Sites can express their ABE
104	   rule-set at a well-known web address for downloading by individual
105	   clients [21], similarly to Flash's crossdomain.xml.  Amidst this
106	   haphazard collage of new security mechanisms at least one browser
107	   vendor has even devised a new HTTP header that disables one of their
108	   newly created security features: witness the X-XSS-Protection header
109	   that disables the new anti-XSS features [22] in Microsoft's Internet
110	   Explorer 8 (IE8).

112	   Additionally, there are various proposals aimed at addressing other
113	   facets of inherent web vulnerabilities, for example: JavaScript
114	   postMessage-based mashup communications [23], hypertext isolation
115	   techniques [24], and service security policies advertised via the
116	   Domain Name System (DNS) [25].  Going even further, there are efforts
117	   to redesign web browser architectures [26], of which Google Chrome
118	   and IE8 are deployed examples.  An even more radical approach is
119	   exhibited in the Gazelle Web Browser [27], which features a browser
120	   kernel embodied in a multi-principal OS construction providing cross-
121	   principal protection and fair sharing of all system resources.

123	   Not to be overlooked is the fact that even though there is a plethora
124	   of "standard" browser security features--e.g. the Same Origin Policy
125	   (SOP), network-related restrictions, rules for third-party cookies,
126	   content-handling mechanisms, etc. [28]--they are not implemented
127	   uniformly in today's various popular browsers and RIA frameworks
128	   [29].  This makes life even harder for web site administrators in
129	   that allowances must be made in site security posture and approaches
130	   in consideration of which browser a user may be wielding at any
131	   particular time.

133	   Although industry and researchers collectively are aware of all the
134	   above issues, we observe that the responses to date have been issue-
135	   specific and uncoordinated.  What we are ending up with looks perhaps
136	   similar to Frankenstein's monster [30]--a design with noble intents
137	   but whose final execution is an almost-random amalgamation of parts
138	   that do not work well together.  It can even cause destruction on its
139	   own [31].

141	   Thus, the goal of this document is to define the requirements for a
142	   common framework expressing security constraints on HTTP
143	   interactions.  Functionally, this framework should be general enough
144	   that it can be used to unite the various individual solutions above,
145	   and specific enough that it can address vulnerabilities not addressed
146	   by current solutions, and guide the development of future mechanisms.

148	   Overall, such a framework would provide web site administrators the
149	   tools for managing, in a least privilege [33] manner, the overall
150	   security characteristics of their web site/applications when realized
151	   in the context of user agents.

153	1.1.  Where to Discuss This Draft

155	   Please disscuss this draft on the websec@ietf.org mailing list
156	   [WebSec].

158	2.  Document Conventions

160	   Note:  ..is a note to the reader.  These are points that should be
161	          expressly kept in mind and/or considered.

163	   [[XXXn: Some of the more major known issues are marked like this
164	   (where "n" in "XXXn" is a number). --JeffH]]

166	   [[TODOn: Things to fix (where "n" in "TODOn" is a number). --JeffH]]

168	   We will also be making use of the WebSec WG issue tracker, so use of
169	   the above two issue & TODO marks will evolve accordingly.

171	3.  Overall Constraints

173	   Regardless of the overall approaches chosen for conveying site
174	   security policies, we believe that to be deployed at Internet-scale,
175	   and to be as widely usable as possible for both novice and expert
176	   alike, the overall solution approach will need to address these three
177	   points of tension:

179	      Granularity:

181	         There has been much debate during the discussion of some policy
182	         mechanisms (e.g.  CSP) as to how fine-grained such mechanisms
183	         should be.  The argument against fine-grained mechanisms is
184	         that site administrators will cause themselves pain by
185	         instantiating policies that do not yield the intended results.
186	         E.g. simply copying the expressed policies of a similar site.
187	         The claim is that this would occur for various reasons stemming
188	         from the mechanisms' complexity [34].

190	      Configurability:

192	         Not infrequently, the complexity of underlying facilities, e.g.
193	         in server software, is not well-packaged and thus
194	         administrators are obliged to learn more about the intricacies
195	         of these systems than otherwise might be necessary.  This is
196	         sometimes used as an argument for "dumbing down" the
197	         capabilities of policy expression mechanisms [34].

199	      Usability:

201	         Research shows that when security warnings are displayed, users
202	         are often given too much information as well as being allowed
203	         to relatively easily bypass the warnings and continue with
204	         their potentially compromising activity [35] [36] [37] [38]
205	         [39].  Thus users have become trained to "click through"
206	         security notifications "in order to get work done", though not
207	         infrequently rendering themselves insecure and perhaps
208	         compromised [40].

210	   In the next section we discuss various high-level requirements
211	   derived with the guidance of the latter tension points.

213	4.  Overall Requirements

215	   1.  Policy conveyance:

217	          in-band:

219	             We believe that a regime based on HTTP header(s) is
220	             appropriate.  However we must devise a generalized,
221	             extensible HTTP security header(s) such that the on-going
222	             "bloat" of the number of disjoint HTTP security headers is
223	             mitigated and there is a documented framework that we can
224	             leverage as new approaches and/or threats emerge.

226	             Note:  The distinction between in-band and out-of-band
227	                    signaling is difficult to characterize because some
228	                    seemingly out-of-band mechanisms rely on the same
229	                    protocols (HTTP/HTTPS) and infrastructure
230	                    (transparent proxy servers) as the protocols they
231	                    ostensibly protect.

233	             It may be reasonable to devise a small set of headers to
234	             convey different classes of policies, e.g. web application
235	             content policies versus web application network
236	             capabilities policies.

238	          out-of-band:

240	             This policy communication mechanism must be secure and
241	             should have two facets, one for communicating securely out-
242	             of-band of the HTTP protocol to allow for secure client
243	             policy store bootstrapping. potential approaches are
244	             factory-installed web browser configuration, site security
245	             policy download a la Flash's crossdomain.xml and Maone's
246	             ABE for Web Authors [21], and DNS-based policy
247	             advertisement leveraging the security of DNS Security
248	             (DNSSEC) [32].

250	   2.  Granularity:

252	          In terms of granularity, vast arrays of stand-alone blog,
253	          wiki, hosted web account, and other "simple" web sites could
254	          ostensibly benefit from relatively simple, pre-determined
255	          policies.  However, complex sites--e.g. payment, ecommerce,
256	          software-as-a-service, mashup sites, etc.--often differ in
257	          various ways, as well as being inherently complex
258	          implementation-wise.  One-size-fits-all policies will
259	          generally not work well for them.  Thus, we believe that to be
260	          effective for a broad array of web site and application types,
261	          the policy expression mechanism must fundamentally facilitate
262	          fine-grained control.  For example, CSP offers such control.
263	          In order to address the less complex needs of the more simple
264	          classes of web sites, the policy expression mechanism could
265	          have a "macro"-like feature enabling "canned policy profiles".
266	          Or, the configuration facilities of various components of the
267	          web infrastructure can be enhanced to provide an appropriately
268	          simple veneer over the complexity.

270	   3.  Configurability:

272	          With respect to configurability, development effort should be
273	          applied to creating easy-to-use administrative interfaces
274	          addressing the simple cases, like those mentioned above, while
275	          providing advanced administrators the tools to craft and
276	          manage fine-grained multi-faceted policies.  Thus more casual
277	          or novice administrators can be aided in readily choosing, or
278	          be provided with, safe default policies while other classes of
279	          sites have the tools to craft the detailed policies they
280	          require.  Examples of such an approach are Microsoft's
281	          "Packaging Wizard" [41] that easily auto-generates a quite
282	          complicated service deployment descriptor on behalf of less
283	          experienced administrators, and Firefox's simple Preferences
284	          dialog [42] as compared to its detailed about:config
285	          configuration editor page [43].  In both cases, simple usage
286	          by inexperienced users is anticipated and provided for on one
287	          hand, while complex tuning of the myriad underlying
288	          preferences is provided for on the other.

290	   4.  Usability:

292	          Much has been learned over the last few years about what does
293	          and does not work with respect to security indicators in web
294	          browsers and web pages, as noted above, these lessons should
295	          be applied to the security indicators rendered by new proposed
296	          security mechanisms.  We believe that in cases of user agents
297	          venturing into insecure situations, their response should be
298	          to fail the connections by default without user recourse,
299	          rather than displaying warnings along with bypass mechanisms,
300	          as is current practice.  For example, the Strict Transport
301	          Security specification
302	          [I-D.draft-ietf-websec-strict-transport-sec-11] suggests the
303	          former hard-fail behavior.

305	5.  Attacks and Threats to Address

307	   This section enumerates various attacks and threats that ought to be
308	   mitigated by a web security policy framework.  In terms of defining
309	   threats in contrast to attacks, Lucas supplied this:

311	   <"Re: More on XSS mitigation (was Re: XSS mitigation in browsers)"
312	   (Lucas Adamski).  http://lists.w3.org/Archives/Public/
313	   public-web-security/2011Jan/0089.html>

315	      "...  There's a fundamental question about whether we should be
316	      looking at these problems from an attack vs threat standpoint.  An
317	      attack is XSS [or CSRF, or Response Splitting, etc.].  A threat is
318	      that an attacker could compromise a site via content injection to
319	      trick the user to disclosing confidential information (by
320	      injecting a plugin or CSS to steal data or fool the user into
321	      sending their password to the attacker's site). ..."

323	5.1.  Attacks

325	   The below is an enumeration of attacks which are desirable to
326	   mitigate via a web application security framework (see [WASC-THREAT]
327	   for a definition and taxonomy of attacks):

329	   1.  cross-site-scripting (XSS) [2] [WASC-THREAT]

331	   2.  Man-in-the-middle (MITM) attacks against "secure" (e.g.
332	       Transport Layer Security (TLS/SSL)-based [7] [8] [WASC-THREAT])
333	       web sites.  For example, be able to subsume the HSTS header [11].

335	   3.  User Interface Redressing [UIRedress], aka Clickjacking
336	       [Clickjacking].

338	   4.  Cross-Site-Request Forgery (CSRF) [3] [WASC-THREAT] (?)

340	   5.  Response Splitting [WASC-THREAT]

342	   6.  more (ie eg from [WASC-THREAT] ?) ?

344	5.2.  Threats

346	   Via the attacks above, an attacker can..

348	   1.  Obtain a victim's confidential web application credentials (e.g.,
349	       via cookie theft), and use the credentials to impersonate the
350	       victim and enter into transactions, often with the aim of
351	       monetizing the transaction results to the attacker's benefit.

353	   2.  Insert themselves as a Man-in-the-Middle (MITM) between victim
354	       and various services, thus is able to instigate, control,
355	       intercept, and attempt to monetize various transactions and
356	       interactions with web applications, to the benefit of the
357	       attacker.

359	   3.  Enumerate various user agent information stores, e.g. browser
360	       history, facilitating views of the otherwise confidential habits
361	       of the victim.  This information could possibly be used in
362	       various offline attacks against the victim directly.  E.g.:
363	       blackmail, denial of services, law enforcement actions, etc.

365	   4.  Use gathered information and credentials to construct and present
366	       a falsified persona of the victim (e.g. for character
367	       assassination).

369	   There is a risk of exfiltration of otherwise confidential victim
370	   information with all the threats listed above.

372	6.  Use Cases

374	   This section outlines various concrete use cases.  Where applicable,
375	   source email messages are cited.

377	   1.  I'm a web application site administrator.  My web app includes
378	       static user-supplied content (e.g. submitted from user agents via
379	       HTML FORM + HTTP POST), but either my developers don't properly
380	       sanitize user-supplied content in all cases or/and content
381	       injection vulnerabilities exist or materialize (for various
382	       reasons).

384	       This leaves my web app vulnerable to cross-site scripting.  I
385	       wish I could set overall web app-wide policies that prevent user-
386	       supplied content from injecting malicious content (e.g.
387	       JavaScript) into my web app.

389	   2.  I'm a web application site administrator.  My web application is
390	       intended, and configured, to be uniformly served over HTTPS, but
391	       my developers mistakenly keep including content via insecure
392	       channels (e.g. via insecure HTTP; resulting in so-called "mixed
393	       content").

395	       I wish I could set a policy for my web app that prevents user
396	       agents from loading content insecurely even if my web app is
397	       otherwise telling them to do so.

399	   3.  I'm a web application site administrator.  My site has a policy
400	       that we can only include content from certain trusted providers
401	       (e.g., our CDN, Amazon S3), but my developers keep adding
402	       dependencies on origins I don't trust.  I wish I could set a
403	       policy for my site that prevents my web app from accidentally
404	       loading resources outside my whitelist.

406	   4.  I'm a web application site administrator.  I want to ensure that
407	       my web app is never framed by other web apps.

409	   5.  I'm a developer of a web application which will be included (i.e.
410	       framed) by third parties within their own web apps.  I would like
411	       to ensure that my web app directs user agents to only load
412	       resources from URIs I expect it to (possibly even down to
413	       specific URI paths), without affecting the containing web app or
414	       any other web apps it also includes.

416	   6.  I'm a web application site administrator.  My web app frames
417	       other web apps whose behavior, properties, and policies are not
418	       100% known or predictable.

420	       I need to be able to apply policies that both protect my web app
421	       from potential vulnerabilities or attacks introduced by the
422	       framed web apps, and that work to ensure that the desired
423	       interactions between my web app and the framed apps are securely
424	       realized.

426	7.  Detailed Functional Requirements

428	   Many of the below functional requirements are extracted from a recent
429	   discussion on the [public-web-security] list.  Particular messages
430	   are cited inline and appropriate quotes extracted and reproduced
431	   here.  Inline citations are provided for definitions of various
432	   terms.

434	   1.   Policy expression syntax:

436	        *  Declarative.

438	              <"declarative languages".  http://www.encyclopedia.com/
439	              doc/1O11-declarativelanguages.html>

441	        *  Extensible.

443	              <"Extensibility".
444	              https://secure.wikimedia.org/wikipedia/en/wiki/Extensible>

446	        <"Re: XSS mitigation in browsers" (Lucas Adamski).  http://
447	        lists.w3.org/Archives/Public/public-web-security/2011Jan/
448	        0066.html>

450	           "On a conceptual level, I am not really a believer in the
451	           current proliferation of orthogonal atomic mechanisms
452	           intended to solve very specific problems.  Security is a
453	           holistic discipline, and so I'm a big supporter of investing
454	           in an extensible declarative security policy mechanism that
455	           could evolve as the web and the threats that it faces do.
456	           Web developers have a hard enough time with security already
457	           without being expected to master a potentially large number
458	           of different security mechanisms, each with their own unique
459	           threat model, implementation and syntax.  Not to mention
460	           trying to figure out how they're expected to interact with
461	           each other... how to manage the gaps and intersections
462	           between the models."

464	        <"Re: Scope and complexity (was Re: More on XSS mitigation)"
465	        (Adam Barth).  http://lists.w3.org/Archives/Public/
466	        public-web-security/2011Jan/0108.html>

468	           "I guess I wish we had an extensibility model more like HTML
469	           where we could grow the security protections over time.  For
470	           example, we can probably agree that both <canvas> and <video>
471	           are great additions to HTML that might not have made sense
472	           when folks were designing HTML 1.0.

474	           As long as you're not relying on the security policy as a
475	           first line of defense, the extensibility story for security
476	           policies is even better than it is with HTML tags.  With an
477	           HTML tag, you need a fall-back for browsers that don't
478	           support the tag, whereas with a security policy, you'll
479	           always have your first line of defense.

481	           Ideally, we could come up with a policy mechanism that let us
482	           nail XSS today and that fostered innovation in security for
483	           years to come.  In the short term, you could view the
484	           existing CSP features (e.g., clickjacking protection) as the
485	           first wave of innovation.  If those pieces are popular, then
486	           it should be easy for other folks to adopt them."

488	   2.   Tooling:

490	        *  We will need tools to (idealy) analyze a web application and
491	           generate a starting point security policy.

493	        <"Re: More on XSS mitigation" (John Wilander).  http://
494	        lists.w3.org/Archives/Public/public-web-security/2011Jan/
495	        0082.html>

497	           "*Developers Will Want a Policy Generator* A key issue for
498	           in-the-field success of CSP is how to write, generate and
499	           maintain the policies.  Just look at the epic failure of Java
500	           security policies.  The Java policy framework was designed
501	           for static releases shipped on CDs, not for moving code,
502	           added frameworks, new framework versions etc.  The world of
503	           web apps is so dynamic I'm still amazed.  If anything, for
504	           instance messy security policies, gets in the way of daily
505	           releases it's a no go.  At least until there's an exploit.
506	           Where am I going with this?  Well, we should implement a PoC
507	           *policy generator* and run it on some fairly large websites
508	           before we nail the standard.  There will be subtleties found
509	           which we can address and we can bring the PoC to production
510	           level while the standard is being finalized and shipped in
511	           browsers.  Then we release the policy generator along with
512	           policy enforcement -- success! "

514	   3.   Performance:

516	        *  Minimizing performance impact is a first-order concern.

518	        <"Re: More on XSS mitigation" (John Wilander).  http://
519	        lists.w3.org/Archives/Public/public-web-security/2011Jan/
520	        0082.html>

522	           "*We Mustn't Spoil Performance* Web developers (and browser
523	           developers) are so hung up on performance that we really need
524	           to look at what they're up to and make sure we don't spoil
525	           things.  Especially load performance now that it's part of
526	           Google's rating."

528	   4.   Granularity:

530	        *  For example, discriminate between:

532	           +  "inline" script in <head> versus <body>, or not.

534	           +  "inline" script and "src=" loaded script.

536	           +  Classes of "content", e.g. scriptable content, passive
537	              multimedia, nested documents, etc.

539	        <"Proposal to move the debate forward" (Daniel Veditz).  http://
540	        lists.w3.org/Archives/Public/public-web-security/2011Jan/
541	        0122.html>
542	           "We oscillated several times between lumpy and granular.
543	           Fewer classes (simpler) is always more attractive, easier to
544	           explain and understand.  The danger is that future features
545	           then end up being added to the existing lumps, possibly
546	           enabling things that the site isn't aware they need to now
547	           filter.  It's a constant problem as we expand the
548	           capabilities of browsers -- sites that used to be perfectly
549	           secure are suddenly hackable because all the new browsers
550	           added feature-X."

552	   5.   Notifications and reporting:

554	        *  Convey to the user agent an identifier (e.g. a URI) denoting
555	           where to send policy violation reports.  Could also specify a
556	           DOM event to be dedicated for this purpose.

558	        *  An ability to specify that a origin's policies are to be
559	           enforced in a "report only" mode will be useful for debugging
560	           policies as well as site-policy interactions.  E.g. for
561	           answering the question: "does my policy 'break' my site?".

563	        <"[Content Security Policy] Proposal to move the debate forward"
564	        (Brandon Sterne).  http://lists.w3.org/Archives/Public/
565	        public-web-security/2011Jan/0118.html>

567	   "...
568	   3. Violation Reporting
569	      a. report-uri: URI to which a report will be sent upon policy
570	         violation
571	      b. SecurityViolation event: DOM event fired upon policy violations
572	    ..."

574	   6.   Facilitating Separation of Duties:

576	        *  Specifically, allowing for Web Site operations/deployment
577	           personnel to apply site policy, rather then having it being
578	           encoded in the site implementation code by side developers/
579	           implementors.

581	        <"RE: Content Security Policy and iframe@sandbox" (Andrew
582	        Steingruebl).  http://lists.w3.org/Archives/Public/
583	        public-web-security/2011Feb/0050.html>

585	           "... 2.  SiteC is also totally in control of all HTTP headers
586	           it emits.  It could just as easily indicate policy choices
587	           for all frames via CSP.  It could advertise a blanket policy
588	           (No JS, No ActiveX).  Advertising a page-specific, or frame/
589	           target specific policy is substantially more difficult and
590	           probably unwieldy.  But, depending on how SiteC is
591	           configured, setting a global site policy via headers offers a
592	           potential separation of duties that #1 does not, it allows
593	           website admin to specific things that each web developer
594	           might not be able to. ..."

596	   7.   Hierarchical Policy Application:

598	        *  The notion that policy emitted by the application's source
599	           origin is able to constrain behavior and policies of
600	           contained origins.

602	        <"RE: Content Security Policy and iframe@sandbox" (Andrew
603	        Steingruebl).  http://lists.w3.org/Archives/Public/
604	        public-web-security/2011Feb/0048.html>

606	           "...  I could imagine a tweak to CSP wherein CSP would
607	           control all contents hierarchically.  I already spoke to
608	           Brandon about it, but it was just a quick brainstorm.

610	           You could imagine revoking permissions in the frame hierarchy
611	           and not granting them back.  This does start to get awfully
612	           ugly, but just as CSP controls loading policy for itself, it
613	           could also control loading policy for children, ..."

615	   8.   Framing Policy Hierarchy, cross-origin, granularity:

617	           <"Re: Content Security Policy and iframe@sandbox") (Andy
618	           Steingruebl, Adam Barth) http://lists.w3.org/Archives/Public/
619	           public-web-security/2011Feb/0051.html>

621	On Sat, Feb 12, 2011 at 9:01 PM, Steingruebl, Andy
622	                <asteingruebl@paypal-inc.com> wrote:
623	>> -----Original Message-----
624	>> From: Adam Barth [mailto:w3c@adambarth.com]
625	>
626	>> That all sounds very abstract. If you have some concrete examples,
627	>> that might be more productive to discuss. When enforcing policy
628	>> supplied by one origin on another origin, we need to be careful to
629	>> consider the case where the policy providing origin is the attacker
630	>> and the origin on which the policy is being enforced is the victim.
631	>
632	> SiteA  wants to make sure it cannot ever be framed.  It deploys
633	X-Frame-Options headers and framebusting JS, and maybe even CSP
634	frame-ancestors.
635	>
636	> SiteB wants to make sure it never loads data from anything other than
637	SiteB (no non-origin loads).  It outputs CSP headers to this effect
638	>
639	> SiteC wants to make sure that any content it frames cannot run ActiveX
640	controls, nor do a 401 authentication.  It can't really do this with
641	current iframe sandboxing, but pretend it could...
642	>
643	> SiteC wants to control the behavior of children that it frames.  It
644	needs to advertise this policy to a web browser.  It has two choices:
645	>
646	> 1. It can do it inline in the HTML it outputs with extra attributes of
647	the iframe it creates.  SiteC is in complete control of the HTML that
648	creates the iframe.  I can impose any policy via sandbox attributes.
649	Currently for example, it can disable JS in the frame.  If it frames
650	SiteA, SiteA's framebusting JS will never run, but the browser will
651	respect its X-Frame-Options headers.
652	>
653	> 2. SiteC is also totally in control of all HTTP headers it emits.  It
654	could just as easily indicate policy choices for all frames via CSP.  It
655	could advertise a blanket policy (No JS, No ActiveX).  Advertising a
656	page-specific, or frame/target specific policy is substantially more
657	difficult and probably unwieldy. But, depending on how SiteC is
658	configured, setting a global site policy via headers offers a potential
659	separation of duties that #1 does not, it allows website admin to
660	specific things that each web developer might not be able to.
661	>
662	> 3. Because all of Site A,B,C are in different origins, they don't
663	really have to worry about polluting other origins, but they do have to
664	worry about problematic behavior such as top-nav, 401-auth popups, etc.
665	Parents need to constrain certain behavior of things they embed,
666	according to certain rules of whether the child allows itself to be
667	framed.
668	>
669	> I totally get how existing iframe sandboxing that turns off JS is
670	problematic for sites [due to] older browsers that don't support
671	X-Frame-Options.  We already have a complicated interaction between
672	these multiple security controls.
673	>
674	> Can you give me an example of why my #1/#2 are actually that
675	different?  Whether we control behavior with headers of inline content,
676	each site is totally responsible for what it emits, and can already
677	control in some interesting ways the behavior of content it
678	frames/includes.

680	In this example, the trade-off for Site C seems to boil down to the
681	granularity of the policy.  Using attributes on a frame is more
682	fine-grained because Site C can make these decisions on an
683	iframe-by-iframe basis whereas using a document-wide policy is more
684	coarse-grained.

686	Of course, there's a trade-off between different granularities.  On
687	the one hand, fine-grained gives the site more control over how
688	different iframes behavior.  On the other hand, it's much easier to
689	audit and understand the effects of a coarse-grained policy.

691	Adam

693	   9.   Policy Delivery:

695	        *  The web application policy must be communicated by the web
696	           application to the user agent.  There are various approaches
697	           and they have tradeoffs between security, audience, and
698	           practicality.

700	        <"[Content Security Policy] Proposal to move the debate forward"
701	        (Brandon Sterne).  http://lists.w3.org/Archives/Public/
702	        public-web-security/2011Jan/0118.html>

704	   "...
705	   6. Policy delivery
706	      a. HTTP header
707	      b. <meta> (or <link>) tag, to be superseded by header if present
708	      c. policy-uri: a URI from which the policy will be fetched; can be
709	         specified in either header or tag
710	   ..."

712	        <"Re: [Content Security Policy] Proposal to move the debate
713	        forward" (gaz Heyes).  http://lists.w3.org/Archives/Public/
714	        public-web-security/2011Jan/0148.html>

716	           "...
717	           a) Policy shouldn't be defined in a http header it's too
718	           messy and what happens when there's a mistake?

720	           b) As discussed on the list there is no need to have a
721	           separate method as it can be generated by an attacker.  If a
722	           policy doesn't exist then an attacker can now DOS the web
723	           site via meta.

725	           c) We have a winner, a http header specifying a link to the
726	           policy file is the way to go IMO, my only problem with it is
727	           devs implementing it.  Yes facebook would and probably
728	           twitter would but Dave's tea shop wouldn't pay enough money
729	           to hire a web dev who knew how to implement a custom http
730	           header yet they would know how to validate HTML.  So the
731	           question is are we bothered about little sites that are
732	           likely to have nice tea and XSS holes?  If so I suggest
733	           updating the HTML W3C validator to require a security policy
734	           to pass validation if not I suggest a policy file delivered
735	           by http header.
736	           ..."

738	   10.  Policy Conflict Resolution:

740	        *

742	        <"RE: Content Security Policy and iframe@sandbox" (Andrew
743	        Steingruebl).  http://lists.w3.org/Archives/Public/
744	        public-web-security/2011Feb/0048.html>

746	 > -----Original Message-----
747	 > From: public-web-security-request@w3.org [mailto:public-web-security-
748	 > request@w3.org] On Behalf Of Adam Barth
749	 >
750	 > @sandbox and CSP are very different.  The primary difference is who
751	 > choses the policy.  In the case of @sandbox, the embedder chooses
752	 > the policy. In CSP, the provider of the resource chooses the policy.

754	 While this is true today, I could imagine a tweak to CSP wherein CSP
755	 would control all contents hierarchically.  I already spoke to Brandon
756	 about it, but it was just a quick brainstorm.

758	 You could imagine revoking permissions in the frame hierarchy and not
759	 granting them back.  This does start to get awfully ugly, but just as
760	 CSP controls loading policy for itself, it could also control loading
761	 policy for children, right?

763	 Fundamentally, since the existing security model doesn't really provide
764	 for strict separation of parent/child (popups, 401's, top-nav) CSP and
765	 iframe sandbox both try to control the behavior of resources we pull
766	 from other parties.

768	 Do we think that these are both special cases of a general security
769	 policy (my intuition says yes) or that they have some quite orthogonal
770	 types of security controls that cannot be mixed into a single policy
771	 declaration?

773	 One clear problem that comes to mind is that there are policies that
774	 come from the "child" such as X-Frame-Options that must break the
775	 ordinary parent/child relationship from a precedence standpoint.

777	8.  Extant Policies to Coalesce

779	   Presently, this section lists a grab-bag of individually-expressed
780	   web app security policies which a more general substrate could
781	   ostensibly encompass (in order to, for example, reduce "header bloat"
782	   and bytes-on-the-wire issues), as well as reduce functional policy
783	   duplication/overlap.

785	      CORS

787	      XDomainRequest

789	      toStaticHtml
790	      innerSafeHtml

792	      X-Frame-Options

794	      CSP frame-ancestors

796	      more?

798	9.  Example Concrete Approaches

800	   An overall, broad approach (from [0]):

802	      As for an overall policy mechanism, we observe that leveraging a
803	      combination of CSP [16] and ABE [19], or their employment in
804	      tandem, as a starting point for a multi-vendor approach may be
805	      reasonable.  For a near-term policy delivery mechanism, we
806	      advocate use of both HTTP headers and a policy file at a well-
807	      known location.  Leveraging DNSSEC is attractive in the
808	      intermediate term, i.e. as it becomes more widely deployed.

810	10.  Security Considerations

812	   Security considerations go here.

814	11.  References

816	   [[TODO1: re-code refs into xml and place in proper refs section.
817	   --JeffH]]

819	   [0] J. Hodges, A. Steingruebl, "The Need for Coherent Web Security
820	   Policy Framework(s)", Web 2.0 Security & Privacy, Oakland CA, 20 May
821	   2010. http://w2spconf.com/2010/papers/p11.pdf

823	   [1] Breach Security, "THE WEB HACKING INCIDENTS DATABASE 2009," Aug.
824	   2009. http://www.breach.com/resources/whitepapers/downloads/
825	   WP_TheWebHackingIncidents-2009.pdf

827	   [2] R. Auger, The Cross-Site Request Forgery (CSRF/XSRF) FAQ, 2007.
828	   http://www.cgisecurity.com/articles/csrf-faq.shtml

830	   [3] A. Barth, J. Caballero, and D. Song, "Secure Content Sniffing for
831	   Web Browsers--or How to Stop Papers from Reviewing Themselves,"
832	   Proceedings of the 30th IEEE Symposium on Security & Privacy,
833	   Oakland, CA: 2009.

835	   [4] D. Goodin, "Major IE8 flaw makes 'safe' sites unsafe -
836	   Microsoft's XSS buster busted," The Register, Nov. 2009. http://
837	   www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/

839	   [5] J. Grossman, "Clickjacking: Web pages can see and hear you," Oct.
840	   2008. http://jeremiahgrossman.blogspot.com/2008/10/
841	   clickjacking-web-pages-can-see-and-hear.html

843	   [6] W. Salusky, Malvertising, 2007.
844	   http://isc.sans.org/diary.html?storyid=3727

846	   [7] T. Dierks and E. Rescorla, "The Transport Layer Security (TLS)
847	   Protocol Version 1.2," RFC5246, Internet Engineering Task Force, Aug.
848	   2008. http://www.ietf.org/rfc/rfc5246.txt

850	   [8] M. Marlinspike, SSLSTRIP, 2009.
851	   http://www.thoughtcrime.org/software/sslstrip/

853	   [9] Scope of HTTPOnly Cookies.
854	   http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw

856	   [10] E. Lawrence, IE8 Security Part VII: ClickJacking Defenses, 2009.
857	   http://blogs.msdn.com/ie/archive/2009/01/27/
858	   ie8-security-part-vii-clickjacking-defenses.aspx

860	   [11] J. Hodges, C. Jackson, and A. Barth, "Strict Transport
861	   Security," Work-in-progress, Internet-Draft, Jul. 2010.
862	   http://tools.ietf.org/html/draft-hodges-strict-transport-sec

864	   [12] A. Barth, C. Jackson, and I. Hickson, "The Web Origin Concept,"
865	   Internet-Draft, work in progress, Internet Engineering Task Force,
866	   2009. http://tools.ietf.org/html/draft-abarth-origin

868	   [13] E. Lawrence, IE8 Security Part VI: Beta 2 Update, 2008. http://
869	   blogs.msdn.com/ie/archive/2008/09/02/
870	   ie8-security-part-vi-beta-2-update.aspx

872	   [14] G. Markham, Content restrictions, 2007.
873	   http://www.gerv.net/security/content-restrictions/

875	   [15] T. Jim, N. Swamy, and M. Hicks, "BEEP: Browser-Enforced Embedded
876	   Policies," Proceedings of the 16th International World Wide Web
877	   Conference, Banff, Alberta, Canada, 2007.

879	   [16] B. Sterne, "Content Security Policy (CSP)," 2011. https://
880	   dvcs.w3.org/hg/content-security-policy/raw-file/bcf1c45f312f/
881	   csp-unofficial-draft-20110303.html

883	   [17] A.V. Kesteren, "Cross-Origin Resource Sharing (CORS)," Mar.
884	   2009. http://www.w3.org/TR/2009/WD-cors-20090317/

886	   [18] Adobe Systems, "Cross-domain policy file specification." http://
887	   learn.adobe.com/wiki/download/attachments/64389123/
888	   CrossDomain_PolicyFile_Specification.pdf?version=1

890	   [19] G. Maone, ABE - Application Boundaries Enforcer, 2009.
891	   http://noscript.net/abe/

893	   [20] G. Maone, NoScript. http://noscript.net/

895	   [21] G. Maone, ABE for Web Authors, 2009.
896	   http://noscript.net/abe/web-authors.html

898	   [22] Microsoft, "Event 1046 - Cross-Site Scripting Filter," MSDN
899	   Library, undated.
900	   http://msdn.microsoft.com/en-us/library/dd565647%28VS.85%29.aspx

902	   [23] A. Barth, C. Jackson, and W. Li, "Attacks on JavaScript Mashup
903	   Communication," Proceedings of the Web 2.0 Security and Privacy
904	   Workshop, 2009.

906	   [24] M. Ter Louw, P. Bisht, and V. Venkatakrishnan, "Analysis of
907	   Hypertext Isolation Techniques for XSS Prevention," Proceedings of
908	   the Web 2.0 Security and Privacy Workshop, 2008 .

910	   [25] A. Ozment, S.E. Schechter, and R. Dhamija, "Web Sites Should Not
911	   Need to Rely on Users to Secure Communications," W3C Workshop on
912	   Transparency and Usability of Web Authentication, 2006.

914	   [26] C. Reis, A. Barth, and C. Pizano, "Browser Security: Lessons
915	   from Google Chrome," ACM Queue, 2009, pp. 1-8.

917	   [27] H.J. Wang, C. Grier, A. Moshchuk, S.T. King, P. Choudhury, and
918	   H. Venter, "The Multi-Principal OS Construction of the Gazelle Web
919	   Browser," USENIX Security Symposium, 2009.

921	   [28] M. Zalewski, Browser Security Handbook.
922	   http://code.google.com/p/browsersec/

924	   [29] A. Stamos, D. Thiel, and J. Osborne, Living in the RIA World:
925	   Blurring the Line between Web and Desktop Security, BlackHat
926	   presentation, iSecPartners, 2008.
927	   https://www.isecpartners.com/files/RIA_World_BH_2008.pdf

929	   [30] Mary Shelley, "Frankenstein, or The Modern Prometheus," ca.
930	   1831. http://en.wikipedia.org/wiki/Frankenstein%27s_monster

932	   [31] D. Goodin, "cPanel, Netgear and Linksys susceptible to nasty
933	   attack - Unholy Trinity," The Register, 2009.
934	   http://www.theregister.co.uk/2009/08/02/unholy_trinity_csrf/

936	   [32] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "DNS
937	   security introduction and requirements," RFC4033, Internet
938	   Engineering Task Force, Mar. 2005.
939	   http://www.ietf.org/rfc/rfc4033.txt

941	   [33] J.H. Saltzer and M.D. Schroeder, "The Protection of Information
942	   in Computer Systems," Communications of the ACM, vol. 17, Jul. 1974.

944	   [34] I. Hickson and many others, "Comments on the Content Security
945	   Policy specification," discussion on mozilla.dev.security newsgroup.
946	   http://groups.google.com/group/mozilla.dev.security/browse_frm/
947	   thread/
948	   87ebe5cb9735d8ca?tvc=1&
949	   q=Comments+on+the+Content+Security+Policy+specification

951	   [35] S. Egelman, L.F. Cranor, and J. Hong, "You've Been Warned: An
952	   Empirical Study of the Effectiveness of Web Browser Phishing
953	   Warnings," CHI 2008, April 5 - 10, 2008, Florence, Italy, 2008.

955	   [36] S.E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, "The
956	   Emperor's New Security Indicators," Proceedings of the 2007 IEEE
957	   Symposium on Security and Privacy.

959	   [37] R. Dhamija and J.D. Tygar, "The Battle Against Phishing: Dynamic
960	   Security Skins," Proceedings of the 2005 Symposium on Usable Privacy
961	   and Security (SOUPS).

963	   [38] J. Sobey, T. Whalen, R. Biddle, P.V. Oorschot, and A.S. Patrick,
964	   Browser Interfaces and Extended Validation SSL Certificates: An
965	   Empirical Study, Ottawa, Canada: School of Computer Science, Carleton
966	   University, 2009.

968	   [39] J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L.F.
969	   Cranor, "Crying Wolf: An Empirical Study of SSL Warning
970	   Effectiveness," USENIX Security Symposium, 2009.

972	   [40] C. Jackson and A. Barth, "ForceHTTPS: Protecting High-Security
973	   Web Sites from Network Attacks," Proceedings of the 17th
974	   International World Wide Web Conference (WWW), 2008.

976	   [41] Microsoft, "Packaging Wizard."
977	   http://msdn.microsoft.com/en-us/library/aa157732(office.10).aspx

979	   [42] Mozilla, "Options window."
980	   http://support.mozilla.com/en-US/kb/Options+window

982	   [43] S. Yegulalp, "Hacking Firefox: The secrets of about:config,"
983	   ComputerWorld, May. 2007. http://www.computerworld.com/s/article/
984	   9020880/Hacking_Firefox_The_secrets_of_about_config

986	12.  Informative References

988	   [Clickjacking]
989	              "Clickjacking", Sep 2008,
990	              <http://www.sectheory.com/clickjacking.htm>.

992	   [I-D.ietf-websec-strict-transport-sec]
993	              Hodges, J., Jackson, C., and A. Barth, "HTTP Strict
994	              Transport Security (HSTS)",
995	              draft-ietf-websec-strict-transport-sec-11 (work in
996	              progress), July 2012.

998	   [UIRedress]
999	              "Dealing with UI redress vulnerabilities inherent to the
1000	              current web", Sep 2008, <http://lists.whatwg.org/
1001	              htdig.cgi/whatwg-whatwg.org/2008-September/016284.html>.

1003	   [WASC-THREAT]
1004	              Web Application Security Consortium, "The WASC Threat
1005	              Classification v2.0", January 2010,
1006	              <http://projects.webappsec.org/f/WASC-TC-v2_0.pdf>.

1008	   [WebSec]   "Web HTTP Application Security Minus Authentication and
1009	              Transport",
1010	              <https://www.ietf.org/mailman/listinfo/websec>.

1012	   [public-web-security]
1013	              "public-web-security@w3.org: Improving standards and
1014	              implementations to advance the security of the Web.",
1015	              <http://lists.w3.org/Archives/Public/
1016	              public-web-security/>.

1018	Author's Address

1020	   Jeff Hodges
1021	   PayPal
1022	   2211 North First Street
1023	   San Jose, California  95131
1024	   US

1026	   Email: Jeff.Hodges@PayPal.com