Re: 'frame-options' and 'deny'. from Daniel Veditz on 2013-11-27 (public-webappsec@w3.org from November 2013)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 27 Nov 2013 13:21:29 -0800
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: Brad Hill <bhill@paypal-inc.com>, Garrett Robinson <grobinson@mozilla.com>
Message-ID: <52966259.6050802@mozilla.com>

On 11/27/2013 3:02 AM, Mike West wrote:
> 1. Change the name to match Mozilla's 'frame-ancestors'

X-Frame-Options is far, far more widely used on the web than CSP, and of
the sites using CSP frame-ancestors doesn't seem that common. Calling
the directive 'frame-options' might have some educational benefit. Then
again it leads to your deny/none dilemma...

I don't feel strongly about which name is used; Firefox will likely
continue supporting frame-ancestors as a deprecated synonym for a while
if we go with frame-options.

> 2.  Replace the 'deny' keyword with 'none'.

Please! We already use 'self' instead of SAMEORIGIN, right? I was
thinking of objecting to 'deny' as well.

> 1. Folks already using 'frame-ancestors' would be subject to the more
> strict ancestor-checking in the current spec. I can't really judge how
> much of a concern this is. Mozilla folks: do you have an idea how
> widely-used the current behavior is?

What difference are you seeing? frame-ancestors should apply to all
ancestors no matter how deep the frames are nested. This was in
Mozilla's original spec before MS had even announced XFO.

> 2. We close the door on other "options" in the future. Are there other
> things planned that would make the (not terribly painful) pain of
> implementing another directive parser worthwhile?

We could still add "modifiers" in the future if you drop the -options
name (the way 'unsafe-inline' modifies script-src behavior) but not full
independent frame behaviors. Can't think of ones we'd want to add other
than sandboxing and we've already got that as a separate directive.

Unless we plan additional features the name frame-options is vague and
unclear, except to the extent people are familiar with the XFO header.
The header is slightly clearer in use, though, because it's not "XFO:
<origin>" but "XFO: allow-from <origin>".

If people object to the length of frame-ancestors we could also consider
'framers' which is half as long and still clearer about what it does
than frame-options.

-Dan Veditz

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wednesday, 27 November 2013 21:21:57 UTC