Re: [websec] X-Frame-Options EBNF bug at Mozilla

2013-02-26 Thread Julian Reschke 

On 2013-02-26 17:28, Tobias Gondrom wrote:

On 27/02/13 00:06, Julian Reschke wrote:

On 2013-02-26 11:24, Tobias Gondrom wrote:

Thanks a lot for bringing this to WG attention.
It seems that I misread that point when I first wrote the draft.
Actually the same is true for IE.
I corrected the ABNF in the new version to reflect IE and Mozilla
behavior.
Best regards and thanks a lot for catching this!
Tobias
...



See :


  Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST

From
http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2
:

"The values are specified as ABNF strings, and therefore are
case-insensitive"

and the relevant methods in the code use
"[header-value].LowerCaseEqualsLiteral(...)" so they match
case-insensitively.

One note, I think the spec is incorrect in stating that FF/Chrome
support colons in 2.2.2, Chrome has no support at all for Allow-From
(just my pending patch which has the same behavior as the one that
led to this bug), and obviously colons are not supported here either
(and the intent seems to be to not permit them).


So I believe

needs to be fixed; in the best case by just removing it.


I would be fine with removing this.

Just for the record:

From another reviewer/security researcher, I received on Jan-9 the

following feedback:
"IE8+ :

   X-Frame-Options: ALLOW-FROM http://example.com/

IETF-draft :

   X-Frame-Options: ALLOW-FROM: http://example.com/

IE needs no colon between "ALLOW-FROM" and uri.Firefox and Chrome accept
both."


Firefox is in the process of getting fixed.


Which indicated that Firefox and Chrome would support both, which is why
I kept it in.
But in reflection, it probably does not add value to talk about all
other possible syntax form that could be supported in some browsers due
to tolerance.
...


Indeed, we should only document a single format that will work across 
browsers.




So I would agree with you to remove 2.2.2.
(And if until Sunday I don't hear any objections, I will do so.)

Best regards and thanks for the feedback, Tobias


Best regards, Julian

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] X-Frame-Options EBNF bug at Mozilla

2013-02-26 Thread Tobias Gondrom 
On 27/02/13 00:06, Julian Reschke wrote:
> On 2013-02-26 11:24, Tobias Gondrom wrote:
>> Thanks a lot for bringing this to WG attention.
>> It seems that I misread that point when I first wrote the draft.
>> Actually the same is true for IE.
>> I corrected the ABNF in the new version to reflect IE and Mozilla
>> behavior.
>> Best regards and thanks a lot for catching this!
>> Tobias
>> ...
>
>
> See :
>
>>  Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST
>>
>> From
>> http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2
>> :
>>
>> "The values are specified as ABNF strings, and therefore are
>> case-insensitive"
>>
>> and the relevant methods in the code use
>> "[header-value].LowerCaseEqualsLiteral(...)" so they match
>> case-insensitively.
>>
>> One note, I think the spec is incorrect in stating that FF/Chrome
>> support colons in 2.2.2, Chrome has no support at all for Allow-From
>> (just my pending patch which has the same behavior as the one that
>> led to this bug), and obviously colons are not supported here either
>> (and the intent seems to be to not permit them).
>
> So I believe
> 
> needs to be fixed; in the best case by just removing it.

I would be fine with removing this.

Just for the record:
>From another reviewer/security researcher, I received on Jan-9 the
following feedback:
"IE8+ :

  X-Frame-Options: ALLOW-FROM http://example.com/

IETF-draft :

  X-Frame-Options: ALLOW-FROM: http://example.com/

IE needs no colon between "ALLOW-FROM" and uri.Firefox and Chrome accept
both."

Which indicated that Firefox and Chrome would support both, which is why
I kept it in.
But in reflection, it probably does not add value to talk about all
other possible syntax form that could be supported in some browsers due
to tolerance.

So I would agree with you to remove 2.2.2.
(And if until Sunday I don't hear any objections, I will do so.)

Best regards and thanks for the feedback, Tobias


>
> Best regards, Julian
> ___
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] X-Frame-Options EBNF bug at Mozilla

2013-02-26 Thread Julian Reschke 

On 2013-02-26 11:24, Tobias Gondrom wrote:

Thanks a lot for bringing this to WG attention.
It seems that I misread that point when I first wrote the draft.
Actually the same is true for IE.
I corrected the ABNF in the new version to reflect IE and Mozilla behavior.
Best regards and thanks a lot for catching this!
Tobias
...



See :


 Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST

From 
http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2 :

"The values are specified as ABNF strings, and therefore are case-insensitive"

and the relevant methods in the code use 
"[header-value].LowerCaseEqualsLiteral(...)" so they match case-insensitively.

One note, I think the spec is incorrect in stating that FF/Chrome support 
colons in 2.2.2, Chrome has no support at all for Allow-From (just my pending 
patch which has the same behavior as the one that led to this bug), and 
obviously colons are not supported here either (and the intent seems to be to 
not permit them).


So I believe 
 
needs to be fixed; in the best case by just removing it.


Best regards, Julian
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] X-Frame-Options EBNF bug at Mozilla

2013-02-26 Thread Tobias Gondrom 
Thanks a lot for bringing this to WG attention.
It seems that I misread that point when I first wrote the draft.
Actually the same is true for IE.
I corrected the ABNF in the new version to reflect IE and Mozilla behavior.
Best regards and thanks a lot for catching this!
Tobias


On 12/02/13 06:09, Hill, Brad wrote:
> This bug at Mozilla was recently brought to my attention:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=836132
>
> It seems to indicate that the specified EBNF of using a colon between 
> "ALLOW-FROM" and the URI is not the actual behavior of most user agents that 
> implement that functionality.
>
> Perhaps we should update this to reflect the predominant implementation in 
> the field. (Internet Explorer's)
>
> -Brad
>
>> -Original Message-
>> From: websec-boun...@ietf.org [mailto:websec-boun...@ietf.org] On
>> Behalf Of Yoav Nir
>> Sent: Tuesday, January 29, 2013 5:30 AM
>> To: Julian Reschke
>> Cc: IETF WebSec WG
>> Subject: Re: [websec] WGLC feedback for X-Frame-Options
>>
>> Yes. Tobias will submit a revised version soon, incorporating the WGLC
>> comments.
>>
>> Yoav
>>
>> On Jan 29, 2013, at 3:20 PM, Julian Reschke 
>>  wrote:
>>
>>> On 2012-11-06 18:25, Julian Reschke wrote:
 Hi there,

 here's my feedback from the HTTP/editorial point of view:
 ...
>>> Just checking: is the WG still working on this draft? There doesn't seem to
>> be any activity since October 2012...
>> ___
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] X-Frame-Options EBNF bug at Mozilla

2013-02-13 Thread Julian Reschke 

On 2013-02-11 23:09, Hill, Brad wrote:

This bug at Mozilla was recently brought to my attention:

https://bugzilla.mozilla.org/show_bug.cgi?id=836132

It seems to indicate that the specified EBNF of using a colon between 
"ALLOW-FROM" and the URI is not the actual behavior of most user agents that 
implement that functionality.

Perhaps we should update this to reflect the predominant implementation in the 
field. (Internet Explorer's)

-Brad


Removing the colon (*not* making it optional) would also be consistent 
with the description in 
.


Note that the ABNF needs to be updated to RFC 5234 syntax anyway, and 
that it should only describe the header field value, such as:


X-Frame-Options = "DENY"
/ "SAMEORIGIN"
/ ("ALLOW-FROM" RWS URI)

RWS = 
URI = 

(we may want to discuss restricting URI to scheme + authority, though).

Best regards, Julian
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

[websec] X-Frame-Options EBNF bug at Mozilla

2013-02-11 Thread Hill, Brad 
This bug at Mozilla was recently brought to my attention:

https://bugzilla.mozilla.org/show_bug.cgi?id=836132

It seems to indicate that the specified EBNF of using a colon between 
"ALLOW-FROM" and the URI is not the actual behavior of most user agents that 
implement that functionality.

Perhaps we should update this to reflect the predominant implementation in the 
field. (Internet Explorer's)

-Brad

> -Original Message-
> From: websec-boun...@ietf.org [mailto:websec-boun...@ietf.org] On
> Behalf Of Yoav Nir
> Sent: Tuesday, January 29, 2013 5:30 AM
> To: Julian Reschke
> Cc: IETF WebSec WG
> Subject: Re: [websec] WGLC feedback for X-Frame-Options
> 
> Yes. Tobias will submit a revised version soon, incorporating the WGLC
> comments.
> 
> Yoav
> 
> On Jan 29, 2013, at 3:20 PM, Julian Reschke 
>  wrote:
> 
> > On 2012-11-06 18:25, Julian Reschke wrote:
> >> Hi there,
> >>
> >> here's my feedback from the HTTP/editorial point of view:
> >> ...
> >
> > Just checking: is the WG still working on this draft? There doesn't seem to
> be any activity since October 2012...
> >
> 
> ___
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec