draft-ietf-websec-x-frame-options-11.txt   draft-ietf-websec-x-frame-options-12.txt 
WEBSEC D. Ross WEBSEC D. Ross
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Informational T. Gondrom Intended status: Informational T. Gondrom
Expires: February 28, 2014 Thames Stanley Expires: February 28, 2014 Thames Stanley
August 27, 2013 August 27, 2013
HTTP Header Field X-Frame-Options HTTP Header Field X-Frame-Options
draft-ietf-websec-x-frame-options-11 draft-ietf-websec-x-frame-options-12
Abstract Abstract
To improve the protection of web applications against Clickjacking, To improve the protection of web applications against Clickjacking,
this definition describes the X-Frame-Options HTTP response header this definition describes the X-Frame-Options HTTP response header
field that declares a policy communicated from the server to the field that declares a policy communicated from the server to the
client browser on whether the browser may display the transmitted client browser on whether the browser may display the transmitted
content in frames that are part of other web pages. This content in frames that are part of other web pages. This
informational document serves to document the existing use and informational document serves to document the existing use and
specification of this X-Frame-Options HTTP response header field. specification of this X-Frame-Options HTTP response header field.
skipping to change at page 10, line 31 skipping to change at page 10, line 31
1. Using X-FRAME-OPTIONS with the parameter ALLOW-FROM allows a page 1. Using X-FRAME-OPTIONS with the parameter ALLOW-FROM allows a page
to guess or infer information about who is framing it. A web to guess or infer information about who is framing it. A web
server may answer requests with the X-FRAME-OPTIONS ALLOW-FROM server may answer requests with the X-FRAME-OPTIONS ALLOW-FROM
header and by thus determine which other page is framing it. header and by thus determine which other page is framing it.
This is inherent by design, but may lead to data leakage or data This is inherent by design, but may lead to data leakage or data
protection concerns. protection concerns.
2. The web server using the ALLOW-FROM directive may disclose to 2. The web server using the ALLOW-FROM directive may disclose to
other parties who request the page in the header by which page it other parties who request the page in the header by which page it
is allowed to be framed. If a web server wishes to reduce this is allowed to be framed. If a web server wishes to reduce this
leakage, it is recommended to generate the ALLOW-FRAM header for leakage, it is recommended to generate the ALLOW-FROM header for
each request based on the design pattern as described in section each request based on the design pattern as described in section
2.3.2.3. 2.3.2.3.
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
 End of changes. 2 change blocks. 
2 lines changed or deleted 2 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/