W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 12 Mar 2013 18:44:08 -0700
Message-ID: <513FD9E8.2010700@mozilla.com>
To: David Ross <dross@microsoft.com>
CC: Anne van Kesteren <annevk@annevk.nl>, "Hill, Brad" <bhill@paypal-inc.com>, Ian Melven <imelven@mozilla.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/12/2013 1:33 PM, David Ross wrote:
> X-FRAME-OPTIONS was designed around the idea that users make trust
> decisions based on the top level trust UI – they simply cannot make a
> reasonable trust decision about specific unmarked rectangles (frames)
> that may exist on the page.
>
> The introduction of the sandbox attribute changed the model to enable
> sites to safely host fully arbitrary, untrusted content in frames.
> This change to the model created demand for the suggested ancestor
> walk.

_Users_ make trust decisions based on the topmost URL, but that's not 
the problem here. The "ancestor walk" in Mozilla's original 
frame-ancestors feature was based on site content (not users) deciding 
which sites they trust to frame them without attempting any tricks. The 
user may "trust" randomunknown.com to show them a cat video without 
having any idea it's framing their bank.

It had nothing to do with <iframe sandbox> which we had not considered 
implementing at that time. Rather, we were worried that a complex domain 
like Google or Facebook may frame some of its own content, but may also 
frame partner domains on other parts of its site. For example, Twitter 
streams can frame YouTube videos, but I bet if Twitter relies on XFO: 
SAMEORIGIN anywhere they aren't entirely happy having to trust that 
YouTube won't suffer an XSS bug.

-Dan Veditz
Received on Wednesday, 13 March 2013 01:44:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC