updated text and issues around frame-options
Mon, 05 Nov 2012 07:45:32 -0500
changeset 11 864651e3e51c
parent 10 3e7ba0f12494
child 12 e9c87d20037b
updated text and issues around frame-options
--- a/user-interface-safety.html	Fri Oct 26 13:58:14 2012 -0700
+++ b/user-interface-safety.html	Mon Nov 05 07:45:32 2012 -0500
@@ -98,15 +98,15 @@
 <section id=sotd>
 <p>This is the First Public Working Draft of the User Interface Safety Directives for
 Content Security Policy.
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">CSP</a></cite>]
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">CSP</a></cite>]
 <p>Portions of the technology described in this document were originally
 developed as part of <code>X-Frame-Options</code> 
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">XFRAMEOPTIONS</a></cite>], 
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">XFRAMEOPTIONS</a></cite>], 
 the ClearClick module of the Mozilla Firefox add-on NoScript, 
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">CLEARCLICK</a></cite>] 
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">CLEARCLICK</a></cite>] 
 and in the InContext system implemented experimentally in Internet Explorer 
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">INCONTEXT</a></cite>]. </p>
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">INCONTEXT</a></cite>]. </p>
 <p>In addition to the documents in the W3C Web Application Security working
 group, the work on this document is also informed by the work of the <a
@@ -124,8 +124,8 @@
 <p>This document defines User Interface Safety directives for Content Security
 Policy, a mechanism web applications can use to mitigate some of the risks
 of User Interface (UI) Redressing  
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">UI-REDRESS</a></cite>]
-and Clickjacking [<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">UI-REDRESS</a></cite>]
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">UI-REDRESS</a></cite>]
+and Clickjacking [<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">CLICKJACKING</a></cite>]
 vulnerabilities that can lead to fraudulent actions not intended by the user. </p>
 <p>Content Security Policy (CSP) is a declarative policy that lets the authors (or
@@ -156,7 +156,7 @@
 button out of context. </p>
 <p>Existing anti-clickjacking measures including frame-busting
-[<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">FRAMEBUSTING</a></cite>]
+[<cite><a class="bibref" rel="biblioentry" href="#bib-XXX">FRAMEBUSTING</a></cite>]
  codes and <code>X-Frame-Options</code> are fundamentally incompatible with embeddable third-party
 widgets, and insufficient to defend against timing-based attack vectors. </p>
@@ -277,11 +277,6 @@
-<p class="issue">How to define <code>source-expression</code>, <code>host-source</code>,
-etc. that may have different definitions depending on version of CSP?  Basically, how
-do we reference versions of CSP that may not yet exist?</p>
 <h2 id="sec-directives">Directives</h2>
@@ -292,6 +287,12 @@
+<p class="issue">The functionatlity described in this directive is
+currently defined by <a href="http://tools.ietf.org/html/draft-ietf-websec-frame-options-00">
+http://tools.ietf.org/html/draft-ietf-websec-frame-options-00</a>, managed by the IETF
+<a href="http://tools.ietf.org/wg/websec/">Websec WG</a>. Movement of the definition of this feature to the current document has not been
+resolved and it may be removed from a future version.</a>
 <p>The <code>frame-options</code> directive indicates whether the
 user-agent should embed the resource using a <code>frame</code>,
 <code>iframe</code>, <code>object</code>, <code>embed</code> or <code>applet</code> tag,
@@ -303,7 +304,7 @@
 directive-name  = "frame-options"
-directive-value = ('deny' / 'self' / 1*1&lt;host-source&gt; ['self']) / ('deny' / 'self' / 1*1&lt;host-source&gt;) 'top-only'
+directive-value = 'deny' / 'self' ['top-only'] / 1*1&lt;host-source&gt; ['self'] /  1*1&lt;host-source&gt; 'top-only'
 <p class="issue">Should we use source-expression rather than host-source here? host-source
@@ -319,16 +320,24 @@
 cannot be displayed in an embedded context, regardless of the origin attempting
 to do so, and all other values in the directive are ignored.</p>
-<p>If the directive-value does not contain <code>'deny'</code> it may
-contain the keyword-source <code>'self'</code> alone to indicate that the 
-resource may be embedded only if all <strong>ancestors</strong> are in 
-the same origin as the protected resource.</p>
+<p>If the directive-value contains the keyword-source <code>'self'</code> 
+alone to indicate that the resource may be embedded only if all 
+<strong>ancestors</strong> are in the same origin as the protected resource.</p>
-<p>If the directive-value does not contain the <code>'deny'</code> keyword-source,
-a host-source value indicates an origin that is a valid 
+<p>A host-source value indicates an origin that is a valid 
 <strong>ancestor</strong> for the resource. No more than one additional host-source may
 be specified, with the exception of the keyword-source 'self'.  </p>
+<p class="issue">The restriction to a single additional host source value was based on
+the request of the Websec WG as part of moving this feature to this document.  This
+decision should be evaluated in the context of CSP.  For example, while standalone
+implementations of X-Frame-Options may not have wanted to incur the complexity of
+parsing potentially large lists of origins, CSP implementaions must already be robust
+in their handling of such lists.  The inclusion of multiple origins may reveal
+details of the security model of a resource that chooses to publish such a policy and
+risks associated with this should be discussed in the Security Considerations section
+if any change is made.</p>
 <p>If the <code>'top-only'</code> keyword-source is specified, only the origin of the
 top-level browsing context is checked, not the full window frame tree of ancestors.  This
 provides compatibility with <code>X-Frame-Options</code> but may introduce vulnerabilities