W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Frame embedding: One problem, three possible specs?

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 12 Jul 2011 21:07:35 +0200
Cc: Thomas Roessler <tlr@w3.org>, Adam Barth <w3c@adambarth.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, Arthur Barstow <art.barstow@nokia.com>, Brad Hill <bhill@paypal-inc.com>, Eric Rescorla <ekr@rtfm.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "Anne van Kesteren" <annevk@opera.com>, Adrian Bateman <adrianba@microsoft.com>, "Brandon Sterne" <bsterne@mozilla.com>, Charles McCathieNevile <chaals@opera.com>, Maciej Stachowiak <mjs@apple.com>, Peter Saint-Andre <stpeter@stpeter.im>, "Michael(tm) Smith" <mike@w3.org>, Mark Nottingham <mnot@mnot.net>, "Jeff Hodges" <jeff.hodges@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webapps@w3.org" <public-webapps@w3.org>, "websec@ietf.org" <websec@ietf.org>
Message-Id: <E8D46251-DA4C-46B8-8602-D42EC7278CCD@w3.org>
To: David Ross <dross@microsoft.com>
So, looking at this thread, here's what I suggest for the webappsecwg charter: We keep the deliverable in there, but make it very clear that the group should liaise particularly closely with websec "and other IETF work around framing policy" (or some such), explicitly to avoid conflicting or competing specifications.

That way, if the vision of complementary specs that Brad describes materializes, we have the necessary charter coverage, but we're very clear that other work is going on and should be respected.

If that's ok with everybody, I'll make the tweak before we send this to the membership.

--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







On Jul 8, 2011, at 01:07 , David Ross wrote:

> #3 is a narrowly scoped effort to standardize something that works pretty well today in practice (X-FRAME-OPTIONS).  A conflict with CSP would be bad, but per Adam it seems like overlap is looking less likely.  So proceeding down the current path on #3 sounds good to me.
> 
> David Ross
> dross@microsoft.com
> 
> 
> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com] 
> Sent: Thursday, July 07, 2011 3:24 PM
> To: Thomas Roessler
> Cc: Tobias Gondrom; Arthur Barstow; Brad Hill; Eric Rescorla; Alexey Melnikov; David Ross; Anne van Kesteren; Adrian Bateman; Brandon Sterne; Charles McCathieNevile; Maciej Stachowiak; Peter Saint-Andre; Michael(tm) Smith; Mark Nottingham; Jeff Hodges; public-web-security@w3.org; public-webapps@w3.org; websec@ietf.org
> Subject: Re: Frame embedding: One problem, three possible specs?
> 
> My sense from talking with folks is that there isn't a lot of enthusiasm for supporting this use case in CSP at the present time.
> We're trying to concentrate on a core set of directives for the first iteration.  If it helps reduce complexity, you might consider dropping option (1) for the time being.
> 
> Adam
> 
> 
> On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler <tlr@w3.org> wrote:
>> (Warning, this is cross-posted widely. One of the lists is the IETF 
>> websec mailing list, to which the IETF NOTE WELL applies: 
>> http://www.ietf.org/about/note-well.html)
>> 
>> 
>> Folks,
>> 
>> there appear to be at least three possible specifications addressing this space, with similar but different designs:
>> 
>> 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Options and express those in CSP:
>>  http://www.w3.org/2011/07/appsecwg-charter.html
>> 
>> (We expect that this charter might go to the W3C AC for review as soon 
>> as next week.)
>> 
>> 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") currently considered for publication as an FPWD in the Webapps WG:
>>  
>> http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.htm
>> l
>> 
>> This draft mentions integration into CSP as a possible path forward.
>> 
>> 3. draft-gondrom-frame-options, an individual I-D mentioned to websec:
>>  https://datatracker.ietf.org/doc/draft-gondrom-frame-options/
>>  http://www.ietf.org/mail-archive/web/websec/current/msg00388.html
>> 
>> 
>> How do we go about it?  One path forward might be to just proceed as currently planned and coordinate when webappsec starts working.
>> 
>> Another path forward might be to see whether we can agree now on what forum to take these things forward in (and what the coordination dance might look like).
>> 
>> Thoughts welcome.
>> 
>> Regards,
>> --
>> Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)
>> 
>> 
>> 
>> 
> 
> 
Received on Tuesday, 12 July 2011 19:08:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 12 July 2011 19:08:09 GMT