W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

RE: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 18 Mar 2013 16:33:51 +0000
To: David Ross <dross@microsoft.com>, Anne van Kesteren <annevk@annevk.nl>
CC: Ian Melven <imelven@mozilla.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27969150@DEN-EXDDA-S12.corp.ebay.com>
> IMO, we should avoid breaking sites that still subscribe to the old model by
> keeping the top-only option intact.  However I do agree that top-only should not
> be the default in CSP UI.
> 
> David Ross
> dross@microsoft.com

[Hill, Brad] I'm sympathetic to this, but is this a materialized concern?  Is anyone aware of sites that depend on this behavior, or that would want/need to continue to depend on it after updating their headers from XFO to CSP?   It seems like a great opportunity to make the policy more concrete and secure.

Do any browsers (looking at Moz) have or would be able to provide telemetry illustrating if there are sites that work with top-only and would fail with ancestor-aware checks?  (just wondering about existence, not specific names)

-Brad

> 
> 
> -----Original Message-----
> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On
> Behalf Of Anne van Kesteren
> Sent: Tuesday, March 12, 2013 7:09 AM
> To: Hill, Brad
> Cc: Ian Melven; Tobias Gondrom; public-webappsec@w3.org
> Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI
> Security]
> 
> On Tue, Mar 12, 2013 at 2:03 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> > [Hill, Brad] That's covered in
> >
> > https://dvcs.w3.org/hg/user-interface-safety/raw-file/0475e30847bf/use

> > r-interface-safety.html
> >
> > but I would certainly appreciate comments to make the behavior more
> explicit if you feel such is necessary.
> 
> I would expect MUST, not SHOULD. I would also expect that to result from
> following a set of rules. E.g.
> 
> 1. If the CSP header is present and contains X, do ...
> 
> 2. Otherwise, if the CSP header does not contain X, run these substeps:
> 
> 2.1 If there's a X-Frame-Options header, do ...
> 
> To make it completely unambiguous what is expected from implementations.
> 
> 
> --
> http://annevankesteren.nl/

> 
> 

Received on Monday, 18 March 2013 16:34:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC