--- a/user-interface-safety.html Fri Oct 26 13:58:14 2012 -0700
+++ b/user-interface-safety.html Mon Nov 05 07:45:32 2012 -0500
@@ -98,15 +98,15 @@
<section id=sotd>
<p>This is the First Public Working Draft of the User Interface Safety Directives for
Content Security Policy.
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">CSP</a></cite>]
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">CSP</a></cite>]
<p>Portions of the technology described in this document were originally
developed as part of <code>X-Frame-Options</code>
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">XFRAMEOPTIONS</a></cite>],
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">XFRAMEOPTIONS</a></cite>],
the ClearClick module of the Mozilla Firefox add-on NoScript,
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">CLEARCLICK</a></cite>]
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">CLEARCLICK</a></cite>]
and in the InContext system implemented experimentally in Internet Explorer
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">INCONTEXT</a></cite>]. </p>
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">INCONTEXT</a></cite>]. </p>
<p>In addition to the documents in the W3C Web Application Security working
group, the work on this document is also informed by the work of the <a
@@ -124,8 +124,8 @@
<p>This document defines User Interface Safety directives for Content Security
Policy, a mechanism web applications can use to mitigate some of the risks
of User Interface (UI) Redressing
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">UI-REDRESS</a></cite>]
-and Clickjacking [<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">UI-REDRESS</a></cite>]
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">UI-REDRESS</a></cite>]
+and Clickjacking [<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">CLICKJACKING</a></cite>]
vulnerabilities that can lead to fraudulent actions not intended by the user. </p>
<p>Content Security Policy (CSP) is a declarative policy that lets the authors (or
@@ -156,7 +156,7 @@
button out of context. </p>
<p>Existing anti-clickjacking measures including frame-busting
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">FRAMEBUSTING</a></cite>]
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">FRAMEBUSTING</a></cite>]
codes and <code>X-Frame-Options</code> are fundamentally incompatible with embeddable third-party
widgets, and insufficient to defend against timing-based attack vectors. </p>
@@ -277,11 +277,6 @@
;
</pre>
-<p class="issue">How to define <code>source-expression</code>, <code>host-source</code>,
-etc. that may have different definitions depending on version of CSP? Basically, how
-do we reference versions of CSP that may not yet exist?</p>
-
-
</section></section><section>
<h2 id="sec-directives">Directives</h2>
@@ -292,6 +287,12 @@
<section>
<h3><code>frame-options</code></h3>
+<p class="issue">The functionatlity described in this directive is
+currently defined by <a href="http://tools.ietf.org/html/draft-ietf-websec-frame-options-00">
+http://tools.ietf.org/html/draft-ietf-websec-frame-options-00</a>, managed by the IETF
+<a href="http://tools.ietf.org/wg/websec/">Websec WG</a>. Movement of the definition of this feature to the current document has not been
+resolved and it may be removed from a future version.</a>
+
<p>The <code>frame-options</code> directive indicates whether the
user-agent should embed the resource using a <code>frame</code>,
<code>iframe</code>, <code>object</code>, <code>embed</code> or <code>applet</code> tag,
@@ -303,7 +304,7 @@
<pre>
directive-name = "frame-options"
-directive-value = ('deny' / 'self' / 1*1<host-source> ['self']) / ('deny' / 'self' / 1*1<host-source>) 'top-only'
+directive-value = 'deny' / 'self' ['top-only'] / 1*1<host-source> ['self'] / 1*1<host-source> 'top-only'
</pre>
<p class="issue">Should we use source-expression rather than host-source here? host-source
@@ -319,16 +320,24 @@
cannot be displayed in an embedded context, regardless of the origin attempting
to do so, and all other values in the directive are ignored.</p>
-<p>If the directive-value does not contain <code>'deny'</code> it may
-contain the keyword-source <code>'self'</code> alone to indicate that the
-resource may be embedded only if all <strong>ancestors</strong> are in
-the same origin as the protected resource.</p>
+<p>If the directive-value contains the keyword-source <code>'self'</code>
+alone to indicate that the resource may be embedded only if all
+<strong>ancestors</strong> are in the same origin as the protected resource.</p>
-<p>If the directive-value does not contain the <code>'deny'</code> keyword-source,
-a host-source value indicates an origin that is a valid
+<p>A host-source value indicates an origin that is a valid
<strong>ancestor</strong> for the resource. No more than one additional host-source may
be specified, with the exception of the keyword-source 'self'. </p>
+<p class="issue">The restriction to a single additional host source value was based on
+the request of the Websec WG as part of moving this feature to this document. This
+decision should be evaluated in the context of CSP. For example, while standalone
+implementations of X-Frame-Options may not have wanted to incur the complexity of
+parsing potentially large lists of origins, CSP implementaions must already be robust
+in their handling of such lists. The inclusion of multiple origins may reveal
+details of the security model of a resource that chooses to publish such a policy and
+risks associated with this should be discussed in the Security Considerations section
+if any change is made.</p>
+
<p>If the <code>'top-only'</code> keyword-source is specified, only the origin of the
top-level browsing context is checked, not the full window frame tree of ancestors. This
provides compatibility with <code>X-Frame-Options</code> but may introduce vulnerabilities