Re: [websec] X-Frame-Options EBNF bug at Mozilla

Tue, 26 Feb 2013 08:37:53 -0800 

On 2013-02-26 17:28, Tobias Gondrom wrote:

On 27/02/13 00:06, Julian Reschke wrote:

On 2013-02-26 11:24, Tobias Gondrom wrote:

Thanks a lot for bringing this to WG attention.
It seems that I misread that point when I first wrote the draft.
Actually the same is true for IE.
I corrected the ABNF in the new version to reflect IE and Mozilla
behavior.
Best regards and thanks a lot for catching this!
Tobias
...



See <https://bugzilla.mozilla.org/show_bug.cgi?id=836132#c19>:


  Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST

From
http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2
:

"The values are specified as ABNF strings, and therefore are
case-insensitive"

and the relevant methods in the code use
"[header-value].LowerCaseEqualsLiteral(...)" so they match
case-insensitively.

One note, I think the spec is incorrect in stating that FF/Chrome
support colons in 2.2.2, Chrome has no support at all for Allow-From
(just my pending patch which has the same behavior as the one that
led to this bug), and obviously colons are not supported here either
(and the intent seems to be to not permit them).


So I believe
<http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2.2>
needs to be fixed; in the best case by just removing it.


I would be fine with removing this.

Just for the record:

From another reviewer/security researcher, I received on Jan-9 the

following feedback:
"IE8+ :

   X-Frame-Options: ALLOW-FROM http://example.com/

IETF-draft :

   X-Frame-Options: ALLOW-FROM: http://example.com/

IE needs no colon between "ALLOW-FROM" and uri.Firefox and Chrome accept
both."


Firefox is in the process of getting fixed.


Which indicated that Firefox and Chrome would support both, which is why
I kept it in.
But in reflection, it probably does not add value to talk about all
other possible syntax form that could be supported in some browsers due
to tolerance.
...



Indeed, we should only document a single format that will work across 
browsers.




So I would agree with you to remove 2.2.2.
(And if until Sunday I don't hear any objections, I will do so.)

Best regards and thanks for the feedback, Tobias


Best regards, Julian

_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec






















					Reply via email to