On Fri, Aug 16, 2013 at 7:44 PM, Hill, Brad <bh...@paypal-inc.com> wrote:
> Additional comments inline. > ________________________________________ > > > (D3) Shouldn't ALLOW-FROM be followed by an origin, not a URI? In other > words, what does it mean to send "X-Frame-Options: ALLOW-FROM > https://example.com/this/is/a/path?query#fragment"? > > [Hill, Brad] Agreed. Great. > (D3) In the ALLOW-FROM: what does "top level context" mean? Do you > really mean the top level here, as opposed to the next one up? For > example, suppose A loads B in an iframe, and B loads C, and then C sends > an X-Frame-Options header with ALLOW-FROM. Is the ALLOW-FROM origin > compared to B or A? In either case, you should also note the attacks > that remain. For example, if the answer is B, then B needs to use > X-Frame-Options as well, or else, A can maliciously frame A within B. Or > if the answer is A, then C is trusting A not to load any malicious > intermediate frames B. > > [Hill, Brad] This really does mean the top/final origin value in a frame > ancestor > chain walk. Browsers have implemented X-Frame-Options to check the > Origin context that is topmost in the window or tab. (the _top target, > representing the full, original browsing context, not just the immediate > parent frame) This could be clarified perhaps, but is not incorrect. > OK, that's fine. Could you please just note the risk that an intermediate frame in a nested scenario could do bad things? For example, in the Security Considerations: """ When SAMEORIGIN or ALLOW-FROM values are used, there is some residual risk in nested framing scenarios. For example, suppose that A loads B in an iframe; B loads C; and C sends an X-Frame-Options header with the value "ALLOW-FROM A". The browser will allow this setup, because the ALLOW-FROM origin sent by C matches the top-level origin. However, the intermediate framing page B may still be able to perform clickjacking attacks against A. Thus, sites using this mechanism should keep in mind that by emitting an X-Frame-Options header with value SAMEORIGIN or ALLOW-FROM, they are not only granting permission to the indicated origin (the same origin, or the ALLOW-FROM origin), but also to any origins included as frames within that origin. """ Thanks, --Richard
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec