Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] from Ian Melven on 2013-03-09 (public-webappsec@w3.org from March 2013)

From: Ian Melven <imelven@mozilla.com>
Date: Fri, 8 Mar 2013 16:14:12 -0800 (PST)
To: public-webappsec@w3.org
Message-ID: <1421007210.1318729.1362788052367.JavaMail.root@mozilla.com>

oops, i forgot :

[1] http://www.veracode.com/blog/2012/11/security-headers-report/

sorry !
ian

----- Original Message -----
From: "Ian Melven" <imelven@mozilla.com>
To: public-webappsec@w3.org
Sent: Friday, March 8, 2013 4:06:42 PM
Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving?  [UI Security]

Yes, I would also suggest to not have top-only.

See https://bugzilla.mozilla.org/show_bug.cgi?id=725490 where folks would like to see
Firefox adopt non-spec-compliant behavior for X-Frame-Options, breaking the 'top-only' case
for existing sites (assuming anyone is using XFO this way and expecting it to only check the top level window). 

Their argument is that it's better to contradict the (now deprecated) XFO spec now because many sites have implemented XFO
compared to CSP [1] and these sites aren't bring protected in the way they're expecting.

I'm on the fence about changing XFO, but I don't see why we need to preserve compatibility here for frame-options.
I'm open to being convinced as always though.

thanks,
ian

----- Original Message -----
From: "Tobias Gondrom" <tobias.gondrom@gondrom.org>
To: public-webappsec@w3.org
Sent: Tuesday, March 5, 2013 1:05:19 AM
Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving?  [UI Security]

Hi all,
actually I can see no benefit to keep the "top-only" keyword.
IMHO exact compatibility is not required and in fact this deprecated
option can lead to insecure implementations.

So IMHO, I would suggest to rather not have "top-only".

Best regards, Tobias

On 05/03/13 13:41, Web Application Security Working Group Issue Tracker
wrote:
> webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]
>
> http://www.w3.org/2011/webappsec/track/issues/45
>
> Raised by: Brad Hill
> On product: UI Security
>
> The current UI Security draft specifies a 'top-only' keyword source for the frame-options directive to preserve exact compatibility with X-Frame-Options.
>
> This is actually a dangerous and mis-understood behavior:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=725490
>
> Is there a good reason to keep the 'top-only' behavior?
>
>
>

Received on Saturday, 9 March 2013 00:14:43 UTC