idnits 2.17.1 

draft-ietf-websec-framework-reqs-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (Feb 2013) is 4087 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '11' is defined on line 738, but no explicit reference
     was found in the text

  == Unused Reference: '28' is defined on line 799, but no explicit reference
     was found in the text

  == Unused Reference: '30' is defined on line 807, but no explicit reference
     was found in the text

  -- Possible downref: Non-RFC (?) normative reference: ref. '0'

  -- Possible downref: Non-RFC (?) normative reference: ref. '1'

  -- Possible downref: Non-RFC (?) normative reference: ref. '2'

  -- Possible downref: Non-RFC (?) normative reference: ref. '3'

  -- Possible downref: Non-RFC (?) normative reference: ref. '4'

  -- Possible downref: Non-RFC (?) normative reference: ref. '5'

  -- Possible downref: Non-RFC (?) normative reference: ref. '6'

  ** Obsolete normative reference: RFC 5246 (ref. '7') (Obsoleted by RFC 8446)

  -- Possible downref: Non-RFC (?) normative reference: ref. '8'

  -- Possible downref: Non-RFC (?) normative reference: ref. '9'

  -- Possible downref: Non-RFC (?) normative reference: ref. '10'

  -- Possible downref: Non-RFC (?) normative reference: ref. '11'

  -- Possible downref: Non-RFC (?) normative reference: ref. '12'

  -- Possible downref: Non-RFC (?) normative reference: ref. '13'

  -- Possible downref: Non-RFC (?) normative reference: ref. '14'

  -- Possible downref: Non-RFC (?) normative reference: ref. '15'

  -- Possible downref: Non-RFC (?) normative reference: ref. '16'

  -- Possible downref: Non-RFC (?) normative reference: ref. '17'

  -- Possible downref: Non-RFC (?) normative reference: ref. '18'

  -- Possible downref: Non-RFC (?) normative reference: ref. '19'

  -- Possible downref: Non-RFC (?) normative reference: ref. '20'

  -- Possible downref: Non-RFC (?) normative reference: ref. '21'

  -- Possible downref: Non-RFC (?) normative reference: ref. '22'

  -- Possible downref: Non-RFC (?) normative reference: ref. '23'

  -- Possible downref: Non-RFC (?) normative reference: ref. '24'

  -- Possible downref: Non-RFC (?) normative reference: ref. '25'

  -- Possible downref: Non-RFC (?) normative reference: ref. '26'

  -- Possible downref: Non-RFC (?) normative reference: ref. '27'

  -- Possible downref: Non-RFC (?) normative reference: ref. '28'

  -- Possible downref: Non-RFC (?) normative reference: ref. '29'

  -- Possible downref: Non-RFC (?) normative reference: ref. '30'

  -- Possible downref: Non-RFC (?) normative reference: ref. '31'

  -- Possible downref: Non-RFC (?) normative reference: ref. '33'

  -- Possible downref: Non-RFC (?) normative reference: ref. '34'

  -- Possible downref: Non-RFC (?) normative reference: ref. '35'

  -- Possible downref: Non-RFC (?) normative reference: ref. '36'

  -- Possible downref: Non-RFC (?) normative reference: ref. '37'

  -- Possible downref: Non-RFC (?) normative reference: ref. '38'

  -- Possible downref: Non-RFC (?) normative reference: ref. '39'

  -- Possible downref: Non-RFC (?) normative reference: ref. '40'

  -- Possible downref: Non-RFC (?) normative reference: ref. '41'

  -- Possible downref: Non-RFC (?) normative reference: ref. '42'

  -- Possible downref: Non-RFC (?) normative reference: ref. '43'

  -- Duplicate reference: RFC5246, mentioned in 'RFC5246', was also mentioned
     in '7'.

  -- Obsolete informational reference (is this intentional?): RFC 5246
     (Obsoleted by RFC 8446)


     Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 45 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                          J. Hodges
3	Internet-Draft                                                    PayPal
4	Intended status: Standards Track                                Feb 2013
5	Expires: August 5, 2013

7	       Web Security Framework: Problem Statement and Requirements
8	                  draft-ietf-websec-framework-reqs-00

10	Abstract

12	   Web-based malware and attacks are proliferating rapidly on the
13	   Internet.  New web security mechanisms are also rapidly growing in
14	   number, although in an incoherent fashion.  This document provides a
15	   brief overview of the present situation and the various seemingly
16	   piece-wise approaches being taken to mitigate the threats.  It then
17	   provides an overview of requirements as presently being expressed by
18	   the community in various online and face-to-face discussions.

20	Status of this Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at http://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on August 5, 2013.

37	Copyright Notice

39	   Copyright (c) 2013 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (http://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
55	     1.1.  Where to Discuss This Draft  . . . . . . . . . . . . . . .  4
56	   2.  Document Conventions . . . . . . . . . . . . . . . . . . . . .  5
57	   3.  Overall Constraints  . . . . . . . . . . . . . . . . . . . . .  5
58	   4.  Overall Requirements . . . . . . . . . . . . . . . . . . . . .  6
59	   5.  Vulnerabilities, Attacks, and Threats  . . . . . . . . . . . .  8
60	     5.1.  Attacks  . . . . . . . . . . . . . . . . . . . . . . . . .  8
61	     5.2.  Threats  . . . . . . . . . . . . . . . . . . . . . . . . .  9
62	   6.  Use Cases  . . . . . . . . . . . . . . . . . . . . . . . . . .  9
63	   7.  Detailed Functional Requirements . . . . . . . . . . . . . . . 11
64	   8.  Extant Policies to Coalesce  . . . . . . . . . . . . . . . . . 15
65	   9.  Example Concrete Approaches  . . . . . . . . . . . . . . . . . 15
66	   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 15
67	   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
68	   12. Informative References . . . . . . . . . . . . . . . . . . . . 19
69	   Appendix A.  Acknowledgments . . . . . . . . . . . . . . . . . . . 21
70	   Appendix B.  Discussion References . . . . . . . . . . . . . . . . 21
71	     B.1.  Source: Attacks and Threats  . . . . . . . . . . . . . . . 21
72	     B.2.  Source: Policy Expression Syntax [1] . . . . . . . . . . . 21
73	     B.3.  Source: Policy Expression Syntax [2] . . . . . . . . . . . 22
74	     B.4.  Source: Tooling  . . . . . . . . . . . . . . . . . . . . . 22
75	     B.5.  Source: Performance  . . . . . . . . . . . . . . . . . . . 23
76	     B.6.  Source: Granularity  . . . . . . . . . . . . . . . . . . . 23
77	     B.7.  Source: Notifications and Reporting  . . . . . . . . . . . 23
78	     B.8.  Source: Facilitating Separation of Duties  . . . . . . . . 24
79	     B.9.  Source: Hierarchical Policy Application  . . . . . . . . . 24
80	     B.10. Source: Framing Policy Hierarchy, cross-origin,
81	           granularity  . . . . . . . . . . . . . . . . . . . . . . . 24
82	     B.11. Source: Policy Delivery [1]  . . . . . . . . . . . . . . . 26
83	     B.12. Source: Policy Delivery [2]  . . . . . . . . . . . . . . . 26
84	     B.13. Source: Policy Conflict Resolution . . . . . . . . . . . . 27
85	   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 28

87	1.  Introduction

89	   Over the past few years, we have seen a proliferation of AJAX-based
90	   web applications (AJAX being shorthand for asynchronous JavaScript
91	   and XML), as well as Rich Internet Applications (RIAs), based on so-
92	   called Web 2.0 technologies.  These applications bring both luscious
93	   eye-candy and convenient functionality--e.g. social networking--to
94	   their users, making them quite compelling.  At the same time, we are
95	   seeing an increase in attacks against these applications and their
96	   underlying technologies [1].  The latter include (but aren't limited
97	   to) Cross-Site-Request Forgery (CSRF) -based attacks [2], content-
98	   sniffing cross-site-scripting (XSS) attacks [3], attacks against
99	   browsers supporting anti-XSS policies [4], clickjacking attacks [5],
100	   malvertising attacks [6], as well as man-in-the-middle (MITM) attacks
101	   against "secure" (e.g.  Transport Layer Security (TLS/SSL)-based [7])
102	   web sites along with distribution of the tools to carry out such
103	   attacks (e.g. sslstrip) [8].

105	   During the same time period we have also witnessed the introduction
106	   of new web security indicators, techniques, and policy communication
107	   mechanisms sprinkled throughout the various layers of the Web and
108	   HTTP.  We have a new cookie security flag called HTTPOnly [9].  We
109	   have the anti-clickjacking X-Frame-Options HTTP header [10], the
110	   Strict-Transport-Security HTTP header [RFC6797], anti-CSRF headers
111	   (e.g.  Origin) [12], an anti-sniffing header (X-Content-Type-Options:
112	   nosniff) [13], various approaches to content restrictions [14] [15]
113	   and notably Mozilla Content Security Policy (CSP; conveyed via a HTTP
114	   header) [16], the W3C's Cross-Origin Resource Sharing (CORS; also
115	   conveyed via a HTTP header) [17], as well as RIA security controls
116	   such as the crossdomain.xml file used to express a site's Adobe Flash
117	   security policy [18].  There's also the Application Boundaries
118	   Enforcer (ABE) [19], included as a part of NoScript [20], a popular
119	   Mozilla Firefox security extension.  Sites can express their ABE
120	   rule-set at a well-known web address for downloading by individual
121	   clients [21], similarly to Flash's crossdomain.xml.  Amidst this
122	   haphazard collage of new security mechanisms at least one browser
123	   vendor has even devised a new HTTP header that disables one of their
124	   newly created security features: witness the X-XSS-Protection header
125	   that disables the new anti-XSS features [22] in Microsoft's Internet
126	   Explorer 8 (IE8).

128	   Additionally, there are various proposals aimed at addressing other
129	   facets of inherent web vulnerabilities, for example: JavaScript
130	   postMessage-based mashup communications [23], hypertext isolation
131	   techniques [24], and service security policies advertised via the
132	   Domain Name System (DNS) [25].  Going even further, there are efforts
133	   to redesign web browser architectures [26], of which Google Chrome
134	   and IE8 are deployed examples.  An even more radical approach is
135	   exhibited in the Gazelle Web Browser [27], which features a browser
136	   kernel embodied in a multi-principal OS construction providing cross-
137	   principal protection and fair sharing of all system resources.

139	   Not to be overlooked is the fact that even though there is a plethora
140	   of "standard" browser security features--e.g. the Same Origin Policy
141	   (SOP), network-related restrictions, rules for third-party cookies,
142	   content-handling mechanisms, etc. [28]--they are not implemented
143	   uniformly in today's various popular browsers and RIA frameworks
144	   [29].  This makes life even harder for web site administrators in
145	   that allowances must be made in site security posture and approaches
146	   in consideration of which browser a user may be wielding at any
147	   particular time.

149	   Although industry and researchers collectively are aware of all the
150	   above issues, we observe that the responses to date have been issue-
151	   specific and uncoordinated.  What we are ending up with looks perhaps
152	   similar to Frankenstein's monster [30]--a design with noble intents
153	   but whose final execution is an almost-random amalgamation of parts
154	   that do not work well together.  It can even cause destruction on its
155	   own [31].

157	   Thus, the goal of this document is to define the requirements for a
158	   common framework expressing security constraints on HTTP
159	   interactions.  Functionally, this framework should be general enough
160	   that it can be used to unite the various individual solutions above,
161	   and specific enough that it can address vulnerabilities not addressed
162	   by current solutions, and guide the development of future mechanisms.

164	   Overall, such a framework would provide web site administrators the
165	   tools for managing, in a least privilege [33] manner, the overall
166	   security characteristics of their web site/applications when realized
167	   in the context of user agents.

169	   [[ The author(s) understand that many of the references to web
170	   security issues are now somewhat dated and more recent work has
171	   appeared in the literature.  Suggestions of references to use in
172	   superseding the ones herein are welcome; references to web security
173	   survey papers would be good. ]]

175	1.1.  Where to Discuss This Draft

177	   Please disscuss this draft on the websec@ietf.org mailing list
178	   [WebSec].

180	2.  Document Conventions

182	   NOTE:  ..is a note to the reader.  These are points that should be
183	          expressly kept in mind and/or considered.

185	   [[TODOn: Things to fix (where "n" in "TODOn" is a number). --JeffH]]

187	   We will also be making use of the WebSec WG issue tracker, so use of
188	   the TODO marks will evolve accordingly.

190	3.  Overall Constraints

192	   Regardless of the overall approaches chosen for conveying site
193	   security policies, we believe that to be deployed at Internet-scale,
194	   and to be as widely usable as possible for both novice and expert
195	   alike, the overall solution approach will need to address these three
196	   points of tension:

198	      Granularity:

200	         There has been much debate during the discussion of some policy
201	         mechanisms (e.g.  CSP) as to how fine-grained such mechanisms
202	         should be.  The argument against fine-grained mechanisms is
203	         that site administrators will cause themselves pain by
204	         instantiating policies that do not yield the intended results.
205	         E.g. simply copying the expressed policies of a similar site.
206	         The claim is that this would occur for various reasons stemming
207	         from the mechanisms' complexity [34].

209	      Configurability:

211	         Not infrequently, the complexity of underlying facilities, e.g.
212	         in server software, is not well-packaged and thus
213	         administrators are obliged to learn more about the intricacies
214	         of these systems than otherwise might be necessary.  This is
215	         sometimes used as an argument for "dumbing down" the
216	         capabilities of policy expression mechanisms [34].

218	      Usability:

220	         Research shows that when security warnings are displayed, users
221	         are often given too much information as well as being allowed
222	         to relatively easily bypass the warnings and continue with
223	         their potentially compromising activity [35] [36] [37] [38]
224	         [39].  Thus users have become trained to "click through"
225	         security notifications "in order to get work done", though not
226	         infrequently rendering themselves insecure and perhaps
227	         compromised [40].

229	   In the next section we discuss various high-level requirements
230	   derived with the guidance of the latter tension points.

232	4.  Overall Requirements

234	   1.  Policy conveyance:

236	          in-band:

238	             HTTP header(s) are already presently used to convey policy
239	             to user agents.  However, devising generalized, extensible
240	             HTTP security header(s) such that the on-going "bloat" of
241	             the number of disjoint HTTP security headers is mitigated,
242	             is a stated requirement by various parties.  Also, then
243	             there would be a documented framework that can be leveraged
244	             as new approaches and/or threats emerge.

246	             It may be reasonable to devise distinct sets of headers to
247	             convey different classes of policies, e.g., web application
248	             content policies (such as [W3C.CR-CSP-20121115]) versus web
249	             application network connection policies (such as
250	             [RFC6797]).

252	          out-of-band:

254	             An out-of-band policy communication mechanism must be
255	             secure and should have two facets, one for communicating
256	             securely out-of-band of the HTTP protocol to allow for
257	             secure client policy store bootstrapping. potential
258	             approaches are factory-installed web browser configuration,
259	             site security policy download a la Flash's crossdomain.xml
260	             and Maone's ABE for Web Authors [21], and DNS-based policy
261	             advertisement leveraging the security ofthe Secure DNS
262	             (DNSSEC) [32].

264	       NOTE:  The distinction between in-band and out-of-band signaling
265	              is difficult to characterize because some seemingly out-
266	              of-band mechanisms rely on the same protocols (HTTP/HTTPS)
267	              and infrastructure (e.g., transparent proxy servers) as
268	              the protocols they ostensibly protect.

270	   2.  Granularity:

272	          In terms of granularity, vast arrays of stand-alone blog,
273	          wiki, hosted web account, and other "simple" web sites could
274	          ostensibly benefit from relatively simple, pre-determined
275	          policies.  However, complex sites--e.g. payment, ecommerce,
276	          software-as-a-service, mashup sites, etc.--often differ in
277	          various ways, as well as being inherently complex
278	          implementation-wise.  One-size-fits-all policies will
279	          generally not work well for them.

281	          Thus, to be effective for a broad array of web site and
282	          application types, some derived requirements are:

284	             the policy expression mechanism should fundamentally
285	             facilitate fine-grained control.  For example, CSP
286	             [W3C.CR-CSP-20121115] offers such control.

288	             In order to address the less complex needs of the more
289	             simple classes of web sites, the policy expression
290	             mechanism should have some facility for enabling "canned
291	             policy profiles".

293	             In addition, the configuration facilities of various
294	             components of the web infrastructure can be enhanced to
295	             provide an appropriately simple veneer over the complexity.

297	   3.  Configurability:

299	          With respect to configurability, development effort should be
300	          applied to creating easy-to-use administrative interfaces
301	          addressing the simple cases, like those mentioned above, while
302	          providing advanced administrators the tools to craft and
303	          manage fine-grained multi-faceted policies.  Thus more casual
304	          or novice administrators can be aided in readily choosing, or
305	          be provided with, safe default policies while other classes of
306	          sites have the tools to craft the detailed policies they
307	          require.  Examples of such an approach are Microsoft's
308	          "Packaging Wizard" [41] that easily auto-generates a quite
309	          complicated service deployment descriptor on behalf of less
310	          experienced administrators, and Firefox's simple Preferences
311	          dialog [42] as compared to its detailed about:config
312	          configuration editor page [43].  In both cases, simple usage
313	          by inexperienced users is anticipated and provided for on one
314	          hand, while complex tuning of the myriad underlying
315	          preferences is provided for on the other.

317	   4.  Usability:

319	          Much has been learned over the last few years about what does
320	          and does not work with respect to security indicators in web
321	          browsers and web pages, as noted above, these lessons should
322	          be applied to the security indicators rendered by new proposed
323	          security mechanisms.  We believe that in cases of user agents
324	          venturing into insecure situations, their response should be
325	          to fail the connections by default without user recourse,
326	          rather than displaying warnings along with bypass mechanisms,
327	          as is current practice.  For example, the Strict Transport
328	          Security specification [RFC6797] suggests the former so-called
329	          "hard-fail" behavior.

331	5.  Vulnerabilities, Attacks, and Threats

333	   This section enumerates vulnerabilities and attacks of concern, and
334	   then illustrates plausible threats that could result from
335	   exploitation of the vulnerabilities.  The intent is to illustrate
336	   threats that ought to be mitigated by a web security policy
337	   framework.

339	   The definitions of vulnerability, attack, and threat used in this
340	   document are based on the definitions from [RFC4949], and are
341	   paraphrased here as:

343	   Vulnerability:    A flaw or weakness in a system's design,
344	                     implementation, or operation and management that
345	                     could be exploited.

347	   Attack:           An intentional act of vulnerability exploitation,
348	                     usually characterized by one or more of: the method
349	                     or technique used, and/or the point of initiation,
350	                     and/or the method of delivery, etc.  For example:
351	                     active attack, passive attack, offline attack,
352	                     Cross-site Scripting (XSS) attack, SQL injection
353	                     attack, etc.

355	   Threat:           Any circumstance or event with the potential to
356	                     adversely affect a system and its user(s) through
357	                     unauthorized access, destruction, disclosure, or
358	                     modification of data, or denial of service.

360	   See also Appendix B.1 Source: Attacks and Threats.

362	5.1.  Attacks

364	   These are some of the attacks which are desirable to mitigate via a
365	   web application security framework (see [WASC-THREAT] for a more
366	   complete taxonomy of attacks):

368	   1.  Cross-site-scripting (XSS) [2] [WASC-THREAT-XSS]

370	   2.  Cross-Site-Request Forgery (CSRF) [WASC-THREAT-CSRF]

372	   3.  Response Splitting [WASC-THREAT-RESP]

374	   4.  User Interface Redressing [UIRedress], aka Clickjacking
375	       [Clickjacking].

377	   5.  Man-in-the-middle (MITM) attacks against "secure" web
378	       applications, i.e., ones accessed using TLS/SSL [RFC5246]
379	       [WASC-THREAT-TLS] [SSLSTRIP].

381	   6.  [[TODO2: more? (e.g. from [WASC-THREAT] ?) --JeffH]]

383	5.2.  Threats

385	   Via attacks exploiting the vulnerabilities above, an attacker can..

387	   1.  Obtain a victim's confidential web application credentials (e.g.,
388	       via cookie theft), and use the credentials to impersonate the
389	       victim and enter into transactions, often with the aim of
390	       monetizing the transaction results to the attacker's benefit.

392	   2.  Insert themselves as a Man-in-the-Middle (MITM) between victim
393	       and various services, thus is able to instigate, control,
394	       intercept, and attempt to monetize various transactions and
395	       interactions with web applications, to the benefit of the
396	       attacker.

398	   3.  Enumerate various user agent information stores, e.g. browser
399	       history, facilitating views of the otherwise confidential habits
400	       of the victim.  This information could possibly be used in
401	       various offline attacks against the victim directly.  E.g.:
402	       blackmail, denial of services, law enforcement actions, etc.

404	   4.  Use gathered information and credentials to construct and present
405	       a falsified persona of the victim (e.g. for character
406	       assassination).

408	   There is a risk of exfiltration of otherwise confidential victim
409	   information with all the threats listed above.

411	6.  Use Cases

413	   This section outlines various example use cases.

415	   1.  I'm a web application site administrator.  My web app includes
416	       static user-supplied content (e.g. submitted from user agents via
417	       HTML FORM + HTTP POST), but either my developers don't properly
418	       sanitize user-supplied content in all cases or/and content
419	       injection vulnerabilities exist or materialize (for various
420	       reasons).

422	       This leaves my web app vulnerable to cross-site scripting.  I
423	       wish I could set overall web app-wide policies that prevent user-
424	       supplied content from injecting malicious content (e.g.
425	       JavaScript) into my web app.

427	   2.  I'm a web application site administrator.  My web application is
428	       intended, and configured, to be uniformly served over HTTPS, but
429	       my developers mistakenly keep including content via insecure
430	       channels (e.g. via insecure HTTP; resulting in so-called "mixed
431	       content").

433	       I wish I could set a policy for my web app that prevents user
434	       agents from loading content insecurely even if my web app is
435	       otherwise telling them to do so.

437	   3.  I'm a web application site administrator.  My site has a policy
438	       that we can only include content from certain trusted providers
439	       (e.g., our CDN, Amazon S3), but my developers keep adding
440	       dependencies on origins I don't trust.  I wish I could set a
441	       policy for my site that prevents my web app from accidentally
442	       loading resources outside my whitelist.

444	   4.  I'm a web application site administrator.  I want to ensure that
445	       my web app is never framed by other web apps.

447	   5.  I'm a developer of a web application which will be included (i.e.
448	       framed) by third parties within their own web apps.  I would like
449	       to ensure that my web app directs user agents to only load
450	       resources from URIs I expect it to (possibly even down to
451	       specific URI paths), without affecting the containing web app or
452	       any other web apps it also includes.

454	   6.  I'm a web application site administrator.  My web app frames
455	       other web apps whose behavior, properties, and policies are not
456	       100% known or predictable.

458	       I need to be able to apply policies that both protect my web app
459	       from potential vulnerabilities or attacks introduced by the
460	       framed web apps, and that work to ensure that the desired
461	       interactions between my web app and the framed apps are securely
462	       realized.

464	   7.  [[TODO3: additional use cases to add? --JeffH]]

466	7.  Detailed Functional Requirements

468	   Many of the below functional requirements are extracted from a
469	   discussion on the [public-web-security] mailing list (in early 2011).
470	   Particular messages are cited inline and appropriate quotes extracted
471	   and reproduced here.  Inline citations are provided for definitions
472	   of various terms.

474	   The overall functional requirement categories are:

476	   1.   Policy mechanism scope

478	   2.   Policy expression syntax

480	   3.   Tooling

482	   4.   Performance

484	   5.   Granularity

486	   6.   Notifications and reporting

488	   7.   Facilitating Separation of Duties

490	   8.   Hierarchical Policy Application

492	   9.   Policy Delivery

494	   10.  Policy Conflict Resolution

496	   [[TODO4: additional functional requirement categories to add?
497	   --JeffH]]

499	   These requirements are discussed in more detail below:

501	   1.   Policy mechanism scope and extensibility:

503	           There is a current proliferation of orthogonal atomic
504	           mechanisms intended to solve very specific problems.  Web
505	           developers have a hard enough time with security already
506	           without being expected to master a potentially large number
507	           of different security mechanisms, each with their own unique
508	           threat model, implementation and syntax.  Not to mention
509	           trying to figure out how they're expected to interact with
510	           each other; e.g., how to manage the gaps and intersections
511	           between the models.

513	           Thus the desire to have an extensible security policy
514	           mechanism that could evolve as the web evolves, and the
515	           threats that the web faces also evolve.  For example, an
516	           extensibility model similar to HTML where the security
517	           protections could grown over time.

519	           See also Appendix B.2 Source: Policy Expression Syntax [1].

521	   2.   Policy expression syntax:

523	           The policy expression syntax for a web security framework
524	           should be declarative [DeclLang] (and extensible, as noted
525	           above).  This is for simplicity sake, as the alternative to
526	           declarative is procedural/functional, e.g., the class of
527	           language ECMAscript falls into.

529	           See also Appendix B.2 Source: Policy Expression Syntax [1],
530	           and, Appendix B.3 Source: Policy Expression Syntax [2].

532	   3.   Tooling:

534	           We will need tools to (idealy) analyze a web application and
535	           generate an initial security policy.

537	           See also Appendix B.4 Source: Tooling.

539	   4.   Performance:

541	           Minimizing performance impact is a first-order concern.

543	           See also Appendix B.5 Source: Performance.

545	   5.   Granularity:

547	           For example, discriminate between:

549	           +  "inline" script in <head> versus <body>, or not.

551	           +  "inline" script and "src=" loaded script.

553	           +  Classes of "content", e.g. scriptable content, passive
554	              multimedia, nested documents, etc.

556	           See also Appendix B.6 Source: Granularity.

558	   6.   Notifications and Reporting:

560	           Convey to the user agent an identifier (e.g. a URI) denoting
561	           where to send policy violation reports.  Could also specify a
562	           DOM event to be dedicated for this purpose.

564	           An ability to specify that a origin's policies are to be
565	           enforced in a "report only" mode will be useful for debugging
566	           policies as well as site-policy interactions.  E.g. for
567	           answering the question: "does my policy 'break' my site?".

569	           See also Appendix B.7 Source: Notifications and Reporting.

571	   7.   Facilitating Separation of Duties:

573	           Specifically, allowing for Web Site operations/deployment
574	           personnel to apply site policy, rather then having it being
575	           encoded in the site implementation code by side developers/
576	           implementors.

578	           See also Appendix B.8 Source: Facilitating Separation of
579	           Duties.

581	   8.   Hierarchical Policy Application:

583	           The notion that policy emitted by the application's source
584	           origin is able to constrain behavior and policies of
585	           contained origins.

587	           See also Appendix B.9 Source: Hierarchical Policy
588	           Application.

590	   9.   Framing Policy Hierarchy, cross-origin, granularity,
591	        auditability, roles:

593	           [[TODO5: Need more fully coalesce the source info from
594	           appendix into this item. --JeffH]]

596	           +  "Framing" is a client-side instance notion, where
597	              webapp1's client-side instance (aka "document") loads
598	              another webapp, "webapp2", into an HTML <IFRAME> element.

600	           +  A webapp may wish to never be framed by another webapp.

602	           +  webapps are denoted by "origins" [RFC6454].

604	           +  an origin can emit policy (i.e. from the server-side
605	              webapp component) to the user agent (i.e. the execution
606	              environment/container for the client-side webapp
607	              component) in at least two fashions: HTML element
608	              attributes, HTTP header fields, ecmascript code.  See also
609	              Paragraph 10.

611	           +  Policy expressed via HTML <IFRAME> elements is "fine-
612	              grained" because the webapp can control such policies on
613	              iframe-by-iframe basis.  Policies conveyed by HTTP header
614	              fields applies "document-wide" (i.e., to the webapp
615	              client-side instance) as a whole.

617	           +  Note that either or both of the "framing" or "framed"
618	              webapp client-side instance may be an attacker (in which
619	              case the other webapp client-side instance would be
620	              considered a "victim" (whether or not its actual
621	              intentions are malicious or not)).

623	           See also Appendix B.10 Source: Framing Policy Hierarchy,
624	           cross-origin, granularity.

626	   10.  Policy Delivery:

628	           [[TODO6: Need more fully coalesce the source info from
629	           appendix into this item, and blend/resolve/contrast with
630	           above item. --JeffH]]

632	           The web application policy must be communicated by the web
633	           application to the user agent.  There are various approaches
634	           and they have tradeoffs between security, audience, and
635	           practicality.

637	           See also Appendix B.11 Source: Policy Delivery [1], as well
638	           as, Appendix B.12 Source: Policy Delivery [2].

640	   11.  Policy Conflict Resolution:

642	           [[TODO7: Need more fully coalesce the source info from
643	           appendix into this item. --JeffH]]

645	           What is the model for resolving conflicts between policies
646	           expressed by "parent" and "child" webapps?

648	           Should policies conveyed via HTTP header fields (i.e., that
649	           apply webapp-wide) be handled differently than those
650	           expressed by webapp client-side instances (e.g., via HTML
651	           elements and their attributes)?
652	           See also Appendix B.13 Source: Policy Conflict Resolution.

654	8.  Extant Policies to Coalesce

656	   Presently, this section lists a grab-bag of individually-expressed
657	   web app security policies which a more general substrate could
658	   ostensibly encompass (in order to, for example, reduce "header bloat"
659	   and bytes-on-the-wire issues), as well as reduce functional policy
660	   duplication/overlap.

662	      CORS

664	      XDomainRequest

666	      toStaticHtml

668	      innerSafeHtml

670	      X-Frame-Options

672	      CSP frame-ancestors

674	      more?

676	9.  Example Concrete Approaches

678	   An overall, broad approach (from [0]):

680	      As for an overall policy mechanism, we observe that leveraging a
681	      combination of CSP [16] and ABE [19], or their employment in
682	      tandem, as a starting point for a multi-vendor approach may be
683	      reasonable.  For a near-term policy delivery mechanism, we
684	      advocate use of both HTTP headers and a policy file at a well-
685	      known location.  Leveraging DNSSEC is attractive in the
686	      intermediate term, i.e. as it becomes more widely deployed.

688	10.  Security Considerations

690	   Security considerations go here.

692	11.  References

694	   [[TODO1: re-code refs into xml and place in proper refs section.
695	   --JeffH]]

697	   [0] J. Hodges, A. Steingruebl, "The Need for Coherent Web Security
698	   Policy Framework(s)", Web 2.0 Security & Privacy, Oakland CA, 20 May
699	   2010. http://w2spconf.com/2010/papers/p11.pdf

701	   [1] Breach Security, "THE WEB HACKING INCIDENTS DATABASE 2009," Aug.
702	   2009. http://www.breach.com/resources/whitepapers/downloads/
703	   WP_TheWebHackingIncidents-2009.pdf

705	   [2] R. Auger, The Cross-Site Request Forgery (CSRF/XSRF) FAQ, 2007.
706	   http://www.cgisecurity.com/articles/csrf-faq.shtml

708	   [3] A. Barth, J. Caballero, and D. Song, "Secure Content Sniffing for
709	   Web Browsers--or How to Stop Papers from Reviewing Themselves,"
710	   Proceedings of the 30th IEEE Symposium on Security & Privacy,
711	   Oakland, CA: 2009.

713	   [4] D. Goodin, "Major IE8 flaw makes 'safe' sites unsafe -
714	   Microsoft's XSS buster busted," The Register, Nov. 2009. http://
715	   www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/

717	   [5] J. Grossman, "Clickjacking: Web pages can see and hear you," Oct.
718	   2008. http://jeremiahgrossman.blogspot.com/2008/10/
719	   clickjacking-web-pages-can-see-and-hear.html

721	   [6] W. Salusky, Malvertising, 2007.
722	   http://isc.sans.org/diary.html?storyid=3727

724	   [7] T. Dierks and E. Rescorla, "The Transport Layer Security (TLS)
725	   Protocol Version 1.2," RFC5246, Internet Engineering Task Force, Aug.
726	   2008. http://www.ietf.org/rfc/rfc5246.txt

728	   [8] M. Marlinspike, SSLSTRIP, 2009.
729	   http://www.thoughtcrime.org/software/sslstrip/

731	   [9] Scope of HTTPOnly Cookies.
732	   http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw

734	   [10] E. Lawrence, IE8 Security Part VII: ClickJacking Defenses, 2009.
735	   http://blogs.msdn.com/ie/archive/2009/01/27/
736	   ie8-security-part-vii-clickjacking-defenses.aspx

738	   [11] J. Hodges, C. Jackson, and A. Barth, "Strict Transport
739	   Security," Work-in-progress, Internet-Draft, Jul. 2010.
740	   http://tools.ietf.org/html/draft-hodges-strict-transport-sec

742	   [12] A. Barth, C. Jackson, and I. Hickson, "The Web Origin Concept,"
743	   Internet-Draft, work in progress, Internet Engineering Task Force,
744	   2009. http://tools.ietf.org/html/draft-abarth-origin

746	   [13] E. Lawrence, IE8 Security Part VI: Beta 2 Update, 2008. http://
747	   blogs.msdn.com/ie/archive/2008/09/02/
748	   ie8-security-part-vi-beta-2-update.aspx

750	   [14] G. Markham, Content restrictions, 2007.
751	   http://www.gerv.net/security/content-restrictions/

753	   [15] T. Jim, N. Swamy, and M. Hicks, "BEEP: Browser-Enforced Embedded
754	   Policies," Proceedings of the 16th International World Wide Web
755	   Conference, Banff, Alberta, Canada, 2007.

757	   [16] B. Sterne, "Content Security Policy (CSP)," 2011. https://
758	   dvcs.w3.org/hg/content-security-policy/raw-file/bcf1c45f312f/
759	   csp-unofficial-draft-20110303.html

761	   [17] A.V. Kesteren, "Cross-Origin Resource Sharing (CORS)," Mar.
762	   2009. http://www.w3.org/TR/2009/WD-cors-20090317/

764	   [18] Adobe Systems, "Cross-domain policy file specification." http://
765	   learn.adobe.com/wiki/download/attachments/64389123/
766	   CrossDomain_PolicyFile_Specification.pdf?version=1

768	   [19] G. Maone, ABE - Application Boundaries Enforcer, 2009.
769	   http://noscript.net/abe/

771	   [20] G. Maone, NoScript. http://noscript.net/

773	   [21] G. Maone, ABE for Web Authors, 2009.
774	   http://noscript.net/abe/web-authors.html

776	   [22] Microsoft, "Event 1046 - Cross-Site Scripting Filter," MSDN
777	   Library, undated.
778	   http://msdn.microsoft.com/en-us/library/dd565647%28VS.85%29.aspx

780	   [23] A. Barth, C. Jackson, and W. Li, "Attacks on JavaScript Mashup
781	   Communication," Proceedings of the Web 2.0 Security and Privacy
782	   Workshop, 2009.

784	   [24] M. Ter Louw, P. Bisht, and V. Venkatakrishnan, "Analysis of
785	   Hypertext Isolation Techniques for XSS Prevention," Proceedings of
786	   the Web 2.0 Security and Privacy Workshop, 2008 .

788	   [25] A. Ozment, S.E. Schechter, and R. Dhamija, "Web Sites Should Not
789	   Need to Rely on Users to Secure Communications," W3C Workshop on
790	   Transparency and Usability of Web Authentication, 2006.

792	   [26] C. Reis, A. Barth, and C. Pizano, "Browser Security: Lessons
793	   from Google Chrome," ACM Queue, 2009, pp. 1-8.

795	   [27] H.J. Wang, C. Grier, A. Moshchuk, S.T. King, P. Choudhury, and
796	   H. Venter, "The Multi-Principal OS Construction of the Gazelle Web
797	   Browser," USENIX Security Symposium, 2009.

799	   [28] M. Zalewski, Browser Security Handbook.
800	   http://code.google.com/p/browsersec/

802	   [29] A. Stamos, D. Thiel, and J. Osborne, Living in the RIA World:
803	   Blurring the Line between Web and Desktop Security, BlackHat
804	   presentation, iSecPartners, 2008.
805	   https://www.isecpartners.com/files/RIA_World_BH_2008.pdf

807	   [30] Mary Shelley, "Frankenstein, or The Modern Prometheus," ca.
808	   1831. http://en.wikipedia.org/wiki/Frankenstein%27s_monster

810	   [31] D. Goodin, "cPanel, Netgear and Linksys susceptible to nasty
811	   attack - Unholy Trinity," The Register, 2009.
812	   http://www.theregister.co.uk/2009/08/02/unholy_trinity_csrf/

814	   [32] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "DNS
815	   security introduction and requirements," RFC4033, Internet
816	   Engineering Task Force, Mar. 2005.
817	   http://www.ietf.org/rfc/rfc4033.txt

819	   [33] J.H. Saltzer and M.D. Schroeder, "The Protection of Information
820	   in Computer Systems," Communications of the ACM, vol. 17, Jul. 1974.

822	   [34] I. Hickson and many others, "Comments on the Content Security
823	   Policy specification," discussion on mozilla.dev.security newsgroup.
824	   http://groups.google.com/group/mozilla.dev.security/browse_frm/
825	   thread/
826	   87ebe5cb9735d8ca?tvc=1&
827	   q=Comments+on+the+Content+Security+Policy+specification

829	   [35] S. Egelman, L.F. Cranor, and J. Hong, "You've Been Warned: An
830	   Empirical Study of the Effectiveness of Web Browser Phishing
831	   Warnings," CHI 2008, April 5 - 10, 2008, Florence, Italy, 2008.

833	   [36] S.E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, "The
834	   Emperor's New Security Indicators," Proceedings of the 2007 IEEE
835	   Symposium on Security and Privacy.

837	   [37] R. Dhamija and J.D. Tygar, "The Battle Against Phishing: Dynamic
838	   Security Skins," Proceedings of the 2005 Symposium on Usable Privacy
839	   and Security (SOUPS).

841	   [38] J. Sobey, T. Whalen, R. Biddle, P.V. Oorschot, and A.S. Patrick,
842	   Browser Interfaces and Extended Validation SSL Certificates: An
843	   Empirical Study, Ottawa, Canada: School of Computer Science, Carleton
844	   University, 2009.

846	   [39] J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L.F.
847	   Cranor, "Crying Wolf: An Empirical Study of SSL Warning
848	   Effectiveness," USENIX Security Symposium, 2009.

850	   [40] C. Jackson and A. Barth, "ForceHTTPS: Protecting High-Security
851	   Web Sites from Network Attacks," Proceedings of the 17th
852	   International World Wide Web Conference (WWW), 2008.

854	   [41] Microsoft, "Packaging Wizard."
855	   http://msdn.microsoft.com/en-us/library/aa157732(office.10).aspx

857	   [42] Mozilla, "Options window."
858	   http://support.mozilla.com/en-US/kb/Options+window

860	   [43] S. Yegulalp, "Hacking Firefox: The secrets of about:config,"
861	   ComputerWorld, May. 2007. http://www.computerworld.com/s/article/
862	   9020880/Hacking_Firefox_The_secrets_of_about_config

864	12.  Informative References

866	   [Clickjacking]
867	              "Clickjacking", Sep 2008,
868	              <http://www.sectheory.com/clickjacking.htm>.

870	   [DeclLang]
871	              "declarative languages", A Dictionary of
872	              Computing Encyclopedia.com, 2004, <http://
873	              www.encyclopedia.com/doc/1O11-declarativelanguages.html>.

875	   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
876	              RFC 4949, August 2007.

878	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
879	              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

881	   [RFC6454]  Barth, A., "The Web Origin Concept", RFC 6454,
882	              December 2011.

884	   [RFC6797]  Hodges, J., Jackson, C., and A. Barth, "HTTP Strict
885	              Transport Security (HSTS)", RFC 6797, November 2012.

887	   [SSLSTRIP]
888	              Marlinspike, M., "SSLSTRIP", 2009,
889	              <http://www.thoughtcrime.org/software/sslstrip/>.

891	   [UIRedress]
892	              "Dealing with UI redress vulnerabilities inherent to the
893	              current web", Sep 2008, <http://lists.whatwg.org/
894	              htdig.cgi/whatwg-whatwg.org/2008-September/016284.html>.

896	   [W3C.CR-CSP-20121115]
897	              Sterne, B. and A. Barth, "Content Security Policy 1.0",
898	              World Wide Web Consortium CR CR-CSP-20121115,
899	              November 2012,
900	              <http://www.w3.org/TR/2012/CR-CSP-20121115>.

902	   [WASC-THREAT]
903	              Web Application Security Consortium, "The WASC Threat
904	              Classification v2.0", January 2010,
905	              <http://projects.webappsec.org/f/WASC-TC-v2_0.pdf>.

907	   [WASC-THREAT-CSRF]
908	              Web Application Security Consortium, "Cross Site Request
909	              Forgery", The WASC Threat Classification v2.0 Reference
910	              ID: WASC-9, January 2010, <http://projects.webappsec.org/
911	              w/page/13246919/Cross%20Site%20Request%20Forgery>.

913	   [WASC-THREAT-RESP]
914	              Web Application Security Consortium, "HTTP Response
915	              Splitting", The WASC Threat Classification v2.0 Reference
916	              ID: WASC-25, January 2010, <http://projects.webappsec.org/
917	              w/page/13246931/HTTP%20Response%20Splitting>.

919	   [WASC-THREAT-TLS]
920	              Web Application Security Consortium, "Insufficient
921	              Transport Layer Protection", The WASC Threat
922	              Classification v2.0 Reference ID: WASC-04, January 2010, <
923	              http://projects.webappsec.org/w/page/13246945/
924	              Insufficient%20Transport%20Layer%20Protection>.

926	   [WASC-THREAT-XSS]
927	              Web Application Security Consortium, "Cross Site
928	              Scripting", The WASC Threat Classification v2.0 Reference
929	              ID: WASC-8, January 2010, <http://projects.webappsec.org/
930	              w/page/13246920/Cross%20Site%20Scripting>.

932	   [WebSec]   "Web HTTP Application Security Minus Authentication and
933	              Transport",
934	              <https://www.ietf.org/mailman/listinfo/websec>.

936	   [public-web-security]
937	              "public-web-security@w3.org: Improving standards and
938	              implementations to advance the security of the Web.",
939	              <http://lists.w3.org/Archives/Public/
940	              public-web-security/>.

942	Appendix A.  Acknowledgments

944	   Text and ideas were prototypically incorporated from various mailing
945	   list discussions, notably the ones on the [public-web-security]
946	   mailing list in early 2011, into this document.  The authors wish to
947	   acknowledge and thank these individuals in particular for their tacit
948	   contributions to this document: Lucas Adamski, Adam Barth, gaz Heyes,
949	   Andrew Steingruebl, Brandon Sterne, Daniel Veditz, John Wilander.

951	Appendix B.  Discussion References

953	B.1.  Source: Attacks and Threats

955	   In terms of defining threats in contrast to attacks:

957	   <"Re: More on XSS mitigation (was Re: XSS mitigation in browsers)"
958	   (Lucas Adamski).  http://lists.w3.org/Archives/Public/
959	   public-web-security/2011Jan/0089.html>

961	      "...  There's a fundamental question about whether we should be
962	      looking at these problems from an attack vs threat standpoint.  An
963	      attack is [exploitation of, ed.]  XSS [or CSRF, or Response
964	      Splitting, etc.].  A threat is that an attacker could compromise a
965	      site via content injection to trick the user to disclosing
966	      confidential information (by injecting a plugin or CSS to steal
967	      data or fool the user into sending their password to the
968	      attacker's site). ..."

970	B.2.  Source: Policy Expression Syntax [1]

972	   In terms of policy expression syntax and extensibility, Lucas Adamski
973	   supplied this: <"Re: XSS mitigation in browsers" (Lucas Adamski).  ht
974	   tp://lists.w3.org/Archives/Public/public-web-security/2011Jan/
975	   0066.html>

977	      "On a conceptual level, I am not really a believer in the current
978	      proliferation of orthogonal atomic mechanisms intended to solve
979	      very specific problems.  Security is a holistic discipline, and so
980	      I'm a big supporter of investing in an extensible declarative
981	      security policy mechanism that could evolve as the web and the
982	      threats that it faces do.  Web developers have a hard enough time
983	      with security already without being expected to master a
984	      potentially large number of different security mechanisms, each
985	      with their own unique threat model, implementation and syntax.
986	      Not to mention trying to figure out how they're expected to
987	      interact with each other... how to manage the gaps and
988	      intersections between the models."

990	B.3.  Source: Policy Expression Syntax [2]

992	   In terms of policy expression syntax and extensibility, Adam Barth
993	   supplied this: <"Re: Scope and complexity (was Re: More on XSS
994	   mitigation)" (Adam Barth).  http://lists.w3.org/Archives/Public/
995	   public-web-security/2011Jan/0108.html>

997	      "I guess I wish we had an extensibility model more like HTML where
998	      we could grow the security protections over time.  For example, we
999	      can probably agree that both <canvas> and <video> are great
1000	      additions to HTML that might not have made sense when folks were
1001	      designing HTML 1.0.

1003	      As long as you're not relying on the security policy as a first
1004	      line of defense, the extensibility story for security policies is
1005	      even better than it is with HTML tags.  With an HTML tag, you need
1006	      a fall-back for browsers that don't support the tag, whereas with
1007	      a security policy, you'll always have your first line of defense.

1009	      Ideally, we could come up with a policy mechanism that let us nail
1010	      XSS today and that fostered innovation in security for years to
1011	      come.  In the short term, you could view the existing CSP features
1012	      (e.g., clickjacking protection) as the first wave of innovation.
1013	      If those pieces are popular, then it should be easy for other
1014	      folks to adopt them."

1016	B.4.  Source: Tooling

1018	   In terms of tooling needs, John Wilander supplied this: <"Re: More on
1019	   XSS mitigation" (John Wilander).  http://lists.w3.org/Archives/
1020	   Public/public-web-security/2011Jan/0082.html>

1022	      "*Developers Will Want a Policy Generator* A key issue for in-the-
1023	      field success of CSP is how to write, generate and maintain the
1024	      policies.  Just look at the epic failure of Java security
1025	      policies.  The Java policy framework was designed for static
1026	      releases shipped on CDs, not for moving code, added frameworks,
1027	      new framework versions etc.  The world of web apps is so dynamic
1028	      I'm still amazed.  If anything, for instance messy security
1029	      policies, gets in the way of daily releases it's a no go.  At
1030	      least until there's an exploit.  Where am I going with this?
1031	      Well, we should implement a PoC *policy generator* and run it on
1032	      some fairly large websites before we nail the standard.  There
1033	      will be subtleties found which we can address and we can bring the
1034	      PoC to production level while the standard is being finalized and
1035	      shipped in browsers.  Then we release the policy generator along
1036	      with policy enforcement -- success! "

1038	B.5.  Source: Performance

1040	   In terms of performance, John Wilander supplied this: <"Re: More on
1041	   XSS mitigation" (John Wilander).  http://lists.w3.org/Archives/
1042	   Public/public-web-security/2011Jan/0082.html>

1044	      "*We Mustn't Spoil Performance* Web developers (and browser
1045	      developers) are so hung up on performance that we really need to
1046	      look at what they're up to and make sure we don't spoil things.
1047	      Especially load performance now that it's part of Google's
1048	      rating."

1050	B.6.  Source: Granularity

1052	   In terms of granularity, Daniel Veditz supplied this: <"Proposal to
1053	   move the debate forward" (Daniel Veditz).  http://lists.w3.org/
1054	   Archives/Public/public-web-security/2011Jan/0122.html>

1056	      "We oscillated several times between lumpy and granular.  Fewer
1057	      classes (simpler) is always more attractive, easier to explain and
1058	      understand.  The danger is that future features then end up being
1059	      added to the existing lumps, possibly enabling things that the
1060	      site isn't aware they need to now filter.  It's a constant problem
1061	      as we expand the capabilities of browsers -- sites that used to be
1062	      perfectly secure are suddenly hackable because all the new
1063	      browsers added feature-X."

1065	B.7.  Source: Notifications and Reporting

1067	   In terms of notifications and reporting, Brandon Sterne supplied
1068	   this: <"[Content Security Policy] Proposal to move the debate
1069	   forward" (Brandon Sterne).  http://lists.w3.org/Archives/Public/
1070	   public-web-security/2011Jan/0118.html>

1072	   "...
1073	   3. Violation Reporting
1074	      a. report-uri: URI to which a report will be sent upon policy
1075	         violation
1076	      b. SecurityViolation event: DOM event fired upon policy violations
1077	    ..."

1079	B.8.  Source: Facilitating Separation of Duties

1081	   In terms of facilitating separation of duties, Andrew Steingruebl
1082	   supplied this: <"RE: Content Security Policy and iframe@sandbox"
1083	   (Andrew Steingruebl).  http://lists.w3.org/Archives/Public/
1084	   public-web-security/2011Feb/0050.html>

1086	      "... 2.  SiteC is also totally in control of all HTTP headers it
1087	      emits.  It could just as easily indicate policy choices for all
1088	      frames via CSP.  It could advertise a blanket policy (No JS, No
1089	      ActiveX).  Advertising a page-specific, or frame/target specific
1090	      policy is substantially more difficult and probably unwieldy.
1091	      But, depending on how SiteC is configured, setting a global site
1092	      policy via headers offers a potential separation of duties that #1
1093	      does not, it allows website admin to specific things that each web
1094	      developer might not be able to. ..."

1096	B.9.  Source: Hierarchical Policy Application

1098	   In terms of hierarchical policy application, Andrew Steingruebl
1099	   supplied this: <"RE: Content Security Policy and iframe@sandbox"
1100	   (Andrew Steingruebl).  http://lists.w3.org/Archives/Public/
1101	   public-web-security/2011Feb/0048.html>

1103	      "...  I could imagine a tweak to CSP wherein CSP would control all
1104	      contents hierarchically.  I already spoke to Brandon about it, but
1105	      it was just a quick brainstorm.

1107	      You could imagine revoking permissions in the frame hierarchy and
1108	      not granting them back.  This does start to get awfully ugly, but
1109	      just as CSP controls loading policy for itself, it could also
1110	      control loading policy for children, ..."

1112	B.10.  Source: Framing Policy Hierarchy, cross-origin, granularity

1114	   In terms of framing policy hierarchy, cross-origin, granularity, Andy
1115	   Steingruebl and Adam Barth supplied this:

1117	      <"Re: Content Security Policy and iframe@sandbox") (Andy
1118	      Steingruebl, Adam Barth) http://lists.w3.org/Archives/Public/
1119	      public-web-security/2011Feb/0051.html>

1121	On Sat, Feb 12, 2011 at 9:01 PM, Steingruebl, Andy
1122	                <asteingruebl@paypal-inc.com> wrote:
1123	>> -----Original Message-----
1124	>> From: Adam Barth [mailto:w3c@adambarth.com]
1125	>
1126	>> That all sounds very abstract. If you have some concrete examples,
1127	>> that might be more productive to discuss. When enforcing policy
1128	>> supplied by one origin on another origin, we need to be careful to
1129	>> consider the case where the policy providing origin is the attacker
1130	>> and the origin on which the policy is being enforced is the victim.
1131	>
1132	> SiteA  wants to make sure it cannot ever be framed.  It deploys
1133	X-Frame-Options headers and framebusting JS, and maybe even CSP
1134	frame-ancestors.
1135	>
1136	> SiteB wants to make sure it never loads data from anything other than
1137	SiteB (no non-origin loads).  It outputs CSP headers to this effect
1138	>
1139	> SiteC wants to make sure that any content it frames cannot run ActiveX
1140	controls, nor do a 401 authentication.  It can't really do this with
1141	current iframe sandboxing, but pretend it could...
1142	>
1143	> SiteC wants to control the behavior of children that it frames.  It
1144	needs to advertise this policy to a web browser.  It has two choices:
1145	>
1146	> 1. It can do it inline in the HTML it outputs with extra attributes of
1147	the iframe it creates.  SiteC is in complete control of the HTML that
1148	creates the iframe.  I can impose any policy via sandbox attributes.
1149	Currently for example, it can disable JS in the frame.  If it frames
1150	SiteA, SiteA's framebusting JS will never run, but the browser will
1151	respect its X-Frame-Options headers.
1152	>
1153	> 2. SiteC is also totally in control of all HTTP headers it emits.  It
1154	could just as easily indicate policy choices for all frames via CSP.  It
1155	could advertise a blanket policy (No JS, No ActiveX).  Advertising a
1156	page-specific, or frame/target specific policy is substantially more
1157	difficult and probably unwieldy. But, depending on how SiteC is
1158	configured, setting a global site policy via headers offers a potential
1159	separation of duties that #1 does not, it allows website admin to
1160	specific things that each web developer might not be able to.
1161	>
1162	> 3. Because all of Site A,B,C are in different origins, they don't
1163	really have to worry about polluting other origins, but they do have to
1164	worry about problematic behavior such as top-nav, 401-auth popups, etc.
1165	Parents need to constrain certain behavior of things they embed,
1166	according to certain rules of whether the child allows itself to be
1167	framed.
1168	>
1169	> I totally get how existing iframe sandboxing that turns off JS is
1170	problematic for sites [due to] older browsers that don't support
1171	X-Frame-Options.  We already have a complicated interaction between
1172	these multiple security controls.

1174	>
1175	> Can you give me an example of why my #1/#2 are actually that
1176	different?  Whether we control behavior with headers of inline content,
1177	each site is totally responsible for what it emits, and can already
1178	control in some interesting ways the behavior of content it
1179	frames/includes.

1181	In this example, the trade-off for Site C seems to boil down to the
1182	granularity of the policy.  Using attributes on a frame is more
1183	fine-grained because Site C can make these decisions on an
1184	iframe-by-iframe basis whereas using a document-wide policy is more
1185	coarse-grained.

1187	Of course, there's a trade-off between different granularities.  On
1188	the one hand, fine-grained gives the site more control over how
1189	different iframes behavior.  On the other hand, it's much easier to
1190	audit and understand the effects of a coarse-grained policy.

1192	Adam

1194	B.11.  Source: Policy Delivery [1]

1196	   In terms of policy delivery, Brandon Sterne supplied this: <"[Content
1197	   Security Policy] Proposal to move the debate forward" (Brandon
1198	   Sterne).  http://lists.w3.org/Archives/Public/public-web-security/
1199	   2011Jan/0118.html>

1201	   "...
1202	   6. Policy delivery
1203	      a. HTTP header
1204	      b. <meta> (or <link>) tag, to be superseded by header if present
1205	      c. policy-uri: a URI from which the policy will be fetched; can be
1206	         specified in either header or tag
1207	   ..."

1209	B.12.  Source: Policy Delivery [2]

1211	   In terms of defining policy delivery, gaz Heyes supplied this: <"Re:
1212	   [Content Security Policy] Proposal to move the debate forward" (gaz
1213	   Heyes).  http://lists.w3.org/Archives/Public/public-web-security/
1214	   2011Jan/0148.html>

1216	      "...
1217	      a) Policy shouldn't be defined in a http header it's too messy and
1218	      what happens when there's a mistake?
1219	      b) As discussed on the list there is no need to have a separate
1220	      method as it can be generated by an attacker.  If a policy doesn't
1221	      exist then an attacker can now DOS the web site via meta.

1223	      c) We have a winner, a http header specifying a link to the policy
1224	      file is the way to go IMO, my only problem with it is devs
1225	      implementing it.  Yes facebook would and probably twitter would
1226	      but Dave's tea shop wouldn't pay enough money to hire a web dev
1227	      who knew how to implement a custom http header yet they would know
1228	      how to validate HTML.  So the question is are we bothered about
1229	      little sites that are likely to have nice tea and XSS holes?  If
1230	      so I suggest updating the HTML W3C validator to require a security
1231	      policy to pass validation if not I suggest a policy file delivered
1232	      by http header.
1233	      ..."

1235	B.13.  Source: Policy Conflict Resolution

1237	   In terms of defining policy conflict resolution, Andrew Steingruebl
1238	   supplied this: <"RE: Content Security Policy and iframe@sandbox"
1239	   (Andrew Steingruebl).  http://lists.w3.org/Archives/Public/
1240	   public-web-security/2011Feb/0048.html>

1242	 > -----Original Message-----
1243	 > From: public-web-security-request@w3.org [mailto:public-web-security-
1244	 > request@w3.org] On Behalf Of Adam Barth
1245	 >
1246	 > @sandbox and CSP are very different.  The primary difference is who
1247	 > choses the policy.  In the case of @sandbox, the embedder chooses
1248	 > the policy. In CSP, the provider of the resource chooses the policy.

1250	 While this is true today, I could imagine a tweak to CSP wherein CSP
1251	 would control all contents hierarchically.  I already spoke to Brandon
1252	 about it, but it was just a quick brainstorm.

1254	 You could imagine revoking permissions in the frame hierarchy and not
1255	 granting them back.  This does start to get awfully ugly, but just as
1256	 CSP controls loading policy for itself, it could also control loading
1257	 policy for children, right?

1259	 Fundamentally, since the existing security model doesn't really provide
1260	 for strict separation of parent/child (popups, 401's, top-nav) CSP and
1261	 iframe sandbox both try to control the behavior of resources we pull
1262	 from other parties.

1264	 Do we think that these are both special cases of a general security
1265	 policy (my intuition says yes) or that they have some quite orthogonal
1266	 types of security controls that cannot be mixed into a single policy
1267	 declaration?

1269	 One clear problem that comes to mind is that there are policies that
1270	 come from the "child" such as X-Frame-Options that must break the
1271	 ordinary parent/child relationship from a precedence standpoint.

1273	Author's Address

1275	   Jeff Hodges
1276	   PayPal
1277	   2211 North First Street
1278	   San Jose, California  95131
1279	   US

1281	   Email: Jeff.Hodges@PayPal.com