- From: Mike West <notifications@github.com>
- Date: Wed, 25 Nov 2020 08:17:04 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/578@github.com>
Guten TAG!
I'm requesting a TAG review of requiring embedees to opt-into (rather than -out of) being embedded in cross-origin documents.
Documents can embed anything they like via `<frame>`, `<iframe>`, etc., exposing those embedded resources to a number of attacks, ranging from the well-known risks of clickjacking to the less-understood side-channel risks of XSLeaks and Spectre. Developers can mitigate these risks by choosing to limit the ways in which particular resources can be embedded. The `X-Frame-Options` header and CSP's more-granular `frame-ancestors` directive both provide developers with a measure of defense, but developers must choose to use them.
We should change the web's defaults such that an explicit declaration is necessary to enable cross-origin embedding a given document. That is, we'd treat the absence of an explicit `X-Frame-Options` or `frame-ancestors` declaration as having more or less the same behavior as `X-Frame-Options: SAMEORIGIN`.
- Explainer¹ (minimally containing user needs and example code): https://github.com/mikewest/embedding-requires-opt-in
- Security and Privacy self-review²: This is a strict reduction in the ability to embed documents, with direct (positive) effect on attackers' ability to exploit side-channels to gain access to other origins' data.
- GitHub repo (if you prefer feedback filed there): https://github.com/mikewest/embedding-requires-opt-in
- Primary contacts (and their relationship to the specification):
- Mike West (@mikewest, Google)
- Organization/project driving the design: Google
- External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): None yet. You're my first stop.
Further details:
- [X] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)
- The group where the incubation/design work on this is being done (or is intended to be done in the future): WICG (or just an issue against HTML)
- The group where standardization of this work is intended to be done ("unknown" if not known): WHATWG
- Existing major pieces of multi-stakeholder review or discussion of this design: None.
- Major unresolved issues with or opposition to this design: None known.
- This work is being funded by: Google.
We'd prefer the TAG provide feedback as leave review feedback as a **comment in this issue** and @-notify @mikewest.
Thanks for your work!
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/578
Received on Wednesday, 25 November 2020 16:17:17 UTC