draft-ietf-websec-x-frame-options-06.txt   draft-ietf-websec-x-frame-options-07.txt 
WEBSEC D. Ross WEBSEC D. Ross
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Informational T. Gondrom Intended status: Informational T. Gondrom
Expires: January 28, 2014 Thames Stanley Expires: January 30, 2014 Thames Stanley
July 27, 2013 July 29, 2013
HTTP Header Field X-Frame-Options HTTP Header Field X-Frame-Options
draft-ietf-websec-x-frame-options-06 draft-ietf-websec-x-frame-options-07
Abstract Abstract
To improve the protection of web applications against Clickjacking, To improve the protection of web applications against Clickjacking,
this specification describes the X-Frame-Options HTTP response header this specification describes the X-Frame-Options HTTP response header
field that declares a policy communicated from the server to the field that declares a policy communicated from the server to the
client browser on whether the browser may display the transmitted client browser on whether the browser may display the transmitted
content in frames that are part of other web pages. This content in frames that are part of other web pages. This
informational document serves to document the existing use and informational document serves to document the existing use and
specification of this X-Frame-Options HTTP response header field. specification of this X-Frame-Options HTTP response header field.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 28, 2014. This Internet-Draft will expire on January 30, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 49 skipping to change at page 2, line 49
In 2009 and 2010 many browser vendors ([Microsoft-X-Frame-Options], In 2009 and 2010 many browser vendors ([Microsoft-X-Frame-Options],
[CLICK-DEFENSE-BLOG], [Mozilla-X-Frame-Options]) introduced the use [CLICK-DEFENSE-BLOG], [Mozilla-X-Frame-Options]) introduced the use
of a non-standard HTTP [RFC2616] header field "X-Frame-Options" to of a non-standard HTTP [RFC2616] header field "X-Frame-Options" to
protect against Clickjacking [Clickjacking]. HTML-based web protect against Clickjacking [Clickjacking]. HTML-based web
applications can embed or "frame" other web pages. Clickjacking is a applications can embed or "frame" other web pages. Clickjacking is a
type of attack that occurs when an attacker uses multiple transparent type of attack that occurs when an attacker uses multiple transparent
or opaque layers in the user interface to trick a user into clicking or opaque layers in the user interface to trick a user into clicking
on a button or link on another page from server B when they were on a button or link on another page from server B when they were
intending to click on the same place of the overlaying page from intending to click on the same place of the overlaying page from
server A. Thus, Thus, the attacker is "hijacking" clicks meant for server A. Thus, the attacker is "hijacking" clicks meant for their
their page A and routing them to another page B. The attacker is page A and routing them to another page B. The attacker is tricking
tricking the user (who sees the overlaying user interface content the user (who sees the overlaying user interface content from page A)
from page A) into clicking specific locations on the underlying page into clicking specific locations on the underlying page from server
from server B, triggering some actions on server B and potentially B, triggering some actions on server B and potentially using an
using an existing session context in that step. This is an attack on existing session context in that step. This is an attack on both the
both the user and on server B. And server A may or may not be the user and on server B. And server A may or may not be the attacker.
attacker.
This specification provides informational documentation about the This specification provides informational documentation about the
current use and definition of the X-Frame-Options HTTP header field. current use and definition of the X-Frame-Options HTTP header field.
Given that the "X-" construction is deprecated [RFC6648], the X Given that the "X-" construction is deprecated [RFC6648], the X
-Frame-Options header field will in the future be replaced by the -Frame-Options header field will in the future be replaced by the
Frame-Options directive in the Content Security Policy Version 1.1 Frame-Options directive in the Content Security Policy Version 1.1
[CSP-1-1]. [CSP-1-1].
Existing anti-ClickJacking measures, e.g. Frame-breaking Javascript, Existing anti-ClickJacking measures, e.g. Frame-breaking Javascript,
have weaknesses so that their protection can be circumvented as a have weaknesses so that their protection can be circumvented as a
skipping to change at page 4, line 49 skipping to change at page 4, line 49
identical with the ALLOW-FROM URI. Though in conflict with identical with the ALLOW-FROM URI. Though in conflict with
[RFC6454], current implementations do not consider the port as a [RFC6454], current implementations do not consider the port as a
defining component of the origin. defining component of the origin.
Wildcards or lists to declare multiple domains in one ALLOW-FROM Wildcards or lists to declare multiple domains in one ALLOW-FROM
statement are not permitted (see Section 2.3.2.3). statement are not permitted (see Section 2.3.2.3).
2.2. Augmented Backus-Naur Form (ABNF) 2.2. Augmented Backus-Naur Form (ABNF)
The RFC 5234 [RFC5234] ABNF of the X-Frame-Options header field value The RFC 5234 [RFC5234] ABNF of the X-Frame-Options header field value
is: is the following.
X-Frame-Options = "DENY" X-Frame-Options = "DENY"
/ "SAMEORIGIN" / "SAMEORIGIN"
/ ( "ALLOW-FROM" RWS URI ) / ( "ALLOW-FROM" RWS URI )
RWS = 1*( SP / HTAB )
; required whitespace
With URI as defined in [RFC3986] and the definition of RWS (required With URI as defined in [RFC3986] and the definition of RWS (required
whitespace) is the same as in [HTTPbis-P1]. whitespace) is the same as in [HTTPbis-P1].
RWS is used when at least one linear whitespace octet is required to RWS is used when at least one linear whitespace octet is required to
separate field tokens. RWS SHOULD be generated as a single space separate field tokens. RWS SHOULD be generated as a single space
(SP). Multiple RWS octets that occur within field-content SHOULD (SP). Multiple RWS octets that occur within field-content SHOULD
either be replaced with a single SP or transformed to all SP octets either be replaced with a single SP or transformed to all SP octets
before interpreting the field value or forwarding the message before interpreting the field value or forwarding the message
downstream. downstream.
And SP (space) and HTAB (horizontal tab) are as defined in RFC 5234
[RFC5234], Appendix B.1.
The values are specified as ABNF strings, and therefore are case- The values are specified as ABNF strings, and therefore are case-
insensitive. insensitive.
2.2.1. Examples of X-Frame-Options 2.2.1. Examples of X-Frame-Options
X-FRAME-OPTIONS: DENY X-FRAME-OPTIONS: DENY
X-FRAME-OPTIONS: SAMEORIGIN X-FRAME-OPTIONS: SAMEORIGIN
X-FRAME-OPTIONS: ALLOW-FROM https://example.com/ X-FRAME-OPTIONS: ALLOW-FROM https://example.com/
skipping to change at page 8, line 4 skipping to change at page 7, line 49
This memo is a request to IANA to include the specified HTTP header This memo is a request to IANA to include the specified HTTP header
in the registry as outlined in Registration Procedures for Message in the registry as outlined in Registration Procedures for Message
Header Fields [RFC3864] Header Fields [RFC3864]
4.1. Registration Template 4.1. Registration Template
PERMANENT MESSAGE HEADER FIELD REGISTRATION TEMPLATE: PERMANENT MESSAGE HEADER FIELD REGISTRATION TEMPLATE:
Header field name: X-Frame-Option Header field name: X-Frame-Option
Applicable protocol: http [RFC2616]
Applicable protocol: http [RFC2616]
Status: informational Status: informational
Author/Change controller: IETF Author/Change controller: IETF
Specification document(s): draft-ietf-websec-x-frame-options Specification document(s): draft-ietf-websec-x-frame-options
Related information: Related information:
Figure 1 Figure 1
skipping to change at page 9, line 47 skipping to change at page 9, line 43
<http://www.owasp.org/index.php/Clickjacking>. <http://www.owasp.org/index.php/Clickjacking>.
[FRAME-BUSTING] [FRAME-BUSTING]
Stanford Web Security Research, "Busting frame busting: a Stanford Web Security Research, "Busting frame busting: a
study of clickjacking vulnerabilities at popular sites", study of clickjacking vulnerabilities at popular sites",
2010, <http://seclab.stanford.edu/websec/framebusting/>. 2010, <http://seclab.stanford.edu/websec/framebusting/>.
[HTTPbis-P1] [HTTPbis-P1]
IETF, "Hypertext Transfer Protocol (HTTP/1.1): Message IETF, "Hypertext Transfer Protocol (HTTP/1.1): Message
Syntax and Routing", 2013, <http://tools.ietf.org/html/ Syntax and Routing", 2013, <http://tools.ietf.org/html/
draft-ietf-httpbis-p1-messaging-22>. draft-ietf-httpbis-p1-messaging-23>.
[Microsoft-X-Frame-Options] [Microsoft-X-Frame-Options]
Microsoft, "Combating ClickJacking With X-Frame-Options", Microsoft, "Combating ClickJacking With X-Frame-Options",
2010, <http://blogs.msdn.com/b/ieinternals/archive/2010/03 2010, <http://blogs.msdn.com/b/ieinternals/archive/2010/03
/30/combating-clickjacking-with-x-frame-options.aspx>. /30/combating-clickjacking-with-x-frame-options.aspx>.
[Mozilla-X-Frame-Options] [Mozilla-X-Frame-Options]
Mozilla, "The X-Frame-Options response header", 2010, Mozilla, "The X-Frame-Options response header", 2010,
<https://developer.mozilla.org/en-US/docs/The_X-FRAME- <https://developer.mozilla.org/en-US/docs/The_X-FRAME-
OPTIONS_response_header>. OPTIONS_response_header>.
 End of changes. 10 change blocks. 
18 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/