W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

From: Tobias Gondrom <tobias.gondrom@gondrom.org>
Date: Mon, 11 Mar 2013 12:05:52 +0800
Message-ID: <513D5820.2040601@gondrom.org>
To: public-webappsec@w3.org
Current approach is to only document XFO (as an RFC) and put all future
improvements as FO in the future CSP1.1. So to now start
updating/amending XFO would not make sense. And updates/improvements
should go into the future FO in CSP1.1.

Tobias



On 09/03/13 08:06, Ian Melven wrote:
> Yes, I would also suggest to not have top-only.
>
> See https://bugzilla.mozilla.org/show_bug.cgi?id=725490 where folks would like to see
> Firefox adopt non-spec-compliant behavior for X-Frame-Options, breaking the 'top-only' case
> for existing sites (assuming anyone is using XFO this way and expecting it to only check the top level window). 
>
> Their argument is that it's better to contradict the (now deprecated) XFO spec now because many sites have implemented XFO
> compared to CSP [1] and these sites aren't bring protected in the way they're expecting.
>
> I'm on the fence about changing XFO, but I don't see why we need to preserve compatibility here for frame-options.
> I'm open to being convinced as always though.
>
> thanks,
> ian
>
>
>
>
> ----- Original Message -----
> From: "Tobias Gondrom" <tobias.gondrom@gondrom.org>
> To: public-webappsec@w3.org
> Sent: Tuesday, March 5, 2013 1:05:19 AM
> Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving?  [UI Security]
>
> Hi all,
> actually I can see no benefit to keep the "top-only" keyword.
> IMHO exact compatibility is not required and in fact this deprecated
> option can lead to insecure implementations.
>
> So IMHO, I would suggest to rather not have "top-only".
>
> Best regards, Tobias
>
>
> On 05/03/13 13:41, Web Application Security Working Group Issue Tracker
> wrote:
>> webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]
>>
>> http://www.w3.org/2011/webappsec/track/issues/45
>>
>> Raised by: Brad Hill
>> On product: UI Security
>>
>> The current UI Security draft specifies a 'top-only' keyword source for the frame-options directive to preserve exact compatibility with X-Frame-Options.
>>
>> This is actually a dangerous and mis-understood behavior:
>>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=725490
>>
>> Is there a good reason to keep the 'top-only' behavior?
>>
>>
>>
>
>
Received on Monday, 11 March 2013 04:06:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC