Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security] from Ian Melven on 2013-03-11 (public-webappsec@w3.org from March 2013)

From: Ian Melven <imelven@mozilla.com>
Date: Mon, 11 Mar 2013 10:31:10 -0700 (PDT)
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Cc: public-webappsec@w3.org
Message-ID: <1726696113.1901817.1363023070832.JavaMail.root@mozilla.com>

yes, this is the argument i have made in our bug on changing XFO. 

I also filed another Mozilla bug for implementing frame-options in CSP :
https://bugzilla.mozilla.org/show_bug.cgi?id=846978

comments/feedback in either of those bugs are very welcome ! :)

thanks,
ian


----- Original Message -----
From: "Tobias Gondrom" <tobias.gondrom@gondrom.org>
To: public-webappsec@w3.org
Sent: Sunday, March 10, 2013 9:05:52 PM
Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth  preserving?   [UI Security]

Current approach is to only document XFO (as an RFC) and put all future
improvements as FO in the future CSP1.1. So to now start
updating/amending XFO would not make sense. And updates/improvements
should go into the future FO in CSP1.1.

Tobias



On 09/03/13 08:06, Ian Melven wrote:
> Yes, I would also suggest to not have top-only.
>
> See https://bugzilla.mozilla.org/show_bug.cgi?id=725490 where folks would like to see
> Firefox adopt non-spec-compliant behavior for X-Frame-Options, breaking the 'top-only' case
> for existing sites (assuming anyone is using XFO this way and expecting it to only check the top level window). 
>
> Their argument is that it's better to contradict the (now deprecated) XFO spec now because many sites have implemented XFO
> compared to CSP [1] and these sites aren't bring protected in the way they're expecting.
>
> I'm on the fence about changing XFO, but I don't see why we need to preserve compatibility here for frame-options.
> I'm open to being convinced as always though.
>
> thanks,
> ian
>
>
>
>
> ----- Original Message -----
> From: "Tobias Gondrom" <tobias.gondrom@gondrom.org>
> To: public-webappsec@w3.org
> Sent: Tuesday, March 5, 2013 1:05:19 AM
> Subject: Re: webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving?  [UI Security]
>
> Hi all,
> actually I can see no benefit to keep the "top-only" keyword.
> IMHO exact compatibility is not required and in fact this deprecated
> option can lead to insecure implementations.
>
> So IMHO, I would suggest to rather not have "top-only".
>
> Best regards, Tobias
>
>
> On 05/03/13 13:41, Web Application Security Working Group Issue Tracker
> wrote:
>> webappsec-ISSUE-45 ('top-only'): Is 'top-only' worth preserving? [UI Security]
>>
>> http://www.w3.org/2011/webappsec/track/issues/45
>>
>> Raised by: Brad Hill
>> On product: UI Security
>>
>> The current UI Security draft specifies a 'top-only' keyword source for the frame-options directive to preserve exact compatibility with X-Frame-Options.
>>
>> This is actually a dangerous and mis-understood behavior:
>>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=725490
>>
>> Is there a good reason to keep the 'top-only' behavior?
>>
>>
>>
>
>

Received on Monday, 11 March 2013 17:31:38 UTC