1 / 10

(draft-gondrom-frame-options-01) David Ross, T obias Gondrom July 2011

(draft-gondrom-frame-options-01) David Ross, T obias Gondrom July 2011. Frame-Options. Frame-Options. History Use Cases Draft TBD Future steps. Frame-Options - History. X-Frame-Options widely deployed/used to prevent XSS, CSRF First draft as result from Beijing and OWASP Summit :

jun
Download Presentation

(draft-gondrom-frame-options-01) David Ross, T obias Gondrom July 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. (draft-gondrom-frame-options-01)David Ross, Tobias GondromJuly 2011 Frame-Options

  2. Frame-Options • History • Use Cases • Draft • TBD • Future steps

  3. Frame-Options - History • X-Frame-Options widely deployed/used to prevent XSS, CSRF • First draft as result from Beijing and OWASP Summit: • Running code and (some) consensus by implementers in using X-FRAME-OPTIONS • HTTP-Header: • DENY: cannot be displayed in a frame, regardless of the site attempting to do so. • SAMEORIGIN: can only be displayed if the top-frame is of the same “origin” as the page itself.

  4. Frame-Options – Example Use-Cases • A.1. Shop • An Internet Marketplace/Shop link/button to "Buy this" Gadget, wants their affiliates to be able to stick the "Buy such-and-such from XYZ" IFRAMES into their pages. • A.2. Confirm Purchase Page • Onlineshop"Confirm purchase" anti-CSRF page. The Confirm Purchase page must be shown to the end user without possibility of overlay or misuse by an attacker.

  5. Frame-Options - draft • Frame-Options • In EBNF: Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" / ("ALLOW-FROM" ":" Origin-List) • DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so. • SAMEORIGIN: can only be displayed in a frame on the same origin as the page itself. • ALLOW-FROM: can only be displayed in a frame on the specified origin(s)

  6. 6. Frame-Options - TBD • Allowed framing: only top-level or whole frame chain • Origin: is not the same as in origin draft (scheme:URI:port) • Allow-From: one or more origins (parsing) • Behavior in case of a fail: “No-Frame page” • Interdependencies with CSP (frame-ancestor)

  7. Frame-Options - Allow-From • Allow-From: from only one location • Reasons: • Privacy of other allowed framing sites • Keep size of http header small • Not to handle on web servers but in application • Procedure: • Origin of requesting page will be verified dynamically by the server and answer with matching Allow-From if authorized.

  8. Frame-Options – future steps • Other approaches: • CSP defining framed-by policy: CSP authors indicated to support Frame-Options instead of part of CSP • The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") about half page document appeared a few weeks ago as an FPWD in the W3C WebappsWG: http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.html • Includes idea control of other embedded objects like fonts, images.

  9. Frame-Options – future steps • Do we want to work on this in websec? • Review volunteers • Already received a number of reviews, but more never hurts

  10. Thank you

More Related