(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.

Slides:



Advertisements
Similar presentations
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Advertisements

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
OWASP Periodic Table of Vulnerabilities James Landis
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Agenda Tobias Gondrom July 2011 Websec WG IETF 81 1.
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
 To publish information for global distribution, one needs a universally understood language, a kind of publishing mother tongue that all computers may.
Understand Web Page Development Software Development Fundamentals LESSON 4.1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.
 A chunk of code that you can imbed in an existing envronment  Differences › Resides: desktop or web › Embedding: any page or application or limited.
Web Page Behavior IS 373—Web Standards Todd Will.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
Chapter 14: Personalization and TrustCopyright © 2004 by Prentice Hall User-Centered Website Development: A Human- Computer Interaction Approach.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Internet Basics.
Application Layer. Applications A program or group of programs designed for end users. A program or group of programs designed for end users. Software.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Tracking Services for ANY websites and web applications Zhu Xiong CSE 403 LCO.
Universal Design & Web Accessibility Iain Murray Kerry Hoath Iain Murray Kerry Hoath.
Understanding SharePoint 2013 Add-In Security Vulnerabilities
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
JavaScript, Fourth Edition
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
(draft-ietf-websec-frame-options-00 and draft-ietf-websec-x-frame-options-00) David Ross, Tobias Gondrom July 2012 Frame-Options 1.
Copyright 2007, Information Builders. Slide 1 Understanding Basic HTML Amanda Regan Technical Director June, 2008.
1 Personalization and Trust Personalization Mass Customization One-to-One Marketing Structure content & navigation to meet the needs of individual users.
Planning your site/organization on the Web Please use speaker notes for additional information!
Websec WG (apps area) (Tobias Gondrom) Web page: charter, current documents
200 pt 300 pt 400 pt 500 pt 100 pt 200 pt 300 pt 400 pt 500 pt 100 pt 200pt 300 pt 400 pt 500 pt 100 pt 200 pt 300 pt 400 pt 500 pt 100 pt 200 pt 300 pt.
Web Design (1) Terminology. Coding ‘languages’ (1) HTML - Hypertext Markup Language - describes the content of a web page CSS - Cascading Style Sheets.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
Introduction to Web & HTML
Website Design, Development and Maintenance ONLY TAKE DOWN NOTES ON INDICATED SLIDES.
No Escape From Reality: Security and Privacy of Augmented Reality Browsers WWW '15.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Chapter 27 Getting “Web-ified” (Web Applications) Clearly Visual Basic: Programming with Visual Basic nd Edition.
HTML Frames. Advantages to Using Frames n flexibility in design n information in different Web pages n remove redundancy. n site easier to manage. n update.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
HTML HyperText Markup Language Victoria E. Kozlek.
(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom March 2011 Frame-Options 1.
Agenda Tobias Gondrom March 2011 Websec WG IETF 80 1.
Browser code isolation John Mitchell CS 155 Spring 2016.
Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10.
Website Design and Construction Services and Standards.
ColdFusion: Code Security Best Practices Presented at CCFUG Mar 2016 By Denard Springle.
Open Solutions for a Changing World™ Eddy Kleinjan Copyright 2005, Data Access WordwideNew Techniques for Building Web Applications June 6-9, 2005 Key.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Agenda Alexey, Yoav, Tobias July 2012
WWW and HTTP King Fahd University of Petroleum & Minerals
Security mechanisms and vulnerabilities in .NET
How To Create Cox New Account?
Welcome To Web Tutor Basics of Designing a website
Microsoft FrontPage 2003 Illustrated Complete
Auditing Etsy The Security of Etsy
An Introduction to JavaScript
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Cross Site Request Forgery (CSRF)
Presentation transcript:

(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1

1. History 2. Use Cases 3. Draft 4. TBD 5. Future steps 2

Frame-Options - History X-Frame-Options widely deployed/used to prevent XSS, CSRF First draft as result from Beijing and OWASP Summit: Running code and (some) consensus by implementers in using X-FRAME-OPTIONS HTTP-Header: DENY: cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN: can only be displayed if the top- frame is of the same “origin” as the page itself. 3

Frame-Options – Example Use-Cases A.1. Shop An Internet Marketplace/Shop link/button to "Buy this" Gadget, wants their affiliates to be able to stick the "Buy such-and-such from XYZ" IFRAMES into their pages. A.2. Confirm Purchase Page Onlineshop "Confirm purchase" anti-CSRF page. The Confirm Purchase page must be shown to the end user without possibility of overlay or misuse by an attacker. 4

Frame-Options - draft Frame-Options In EBNF: Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" / ("ALLOW-FROM" ":" Origin-List) DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN: can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM: can only be displayed in a frame on the specified origin(s) 5

6. Frame-Options - TBD Allowed framing: only top-level or whole frame chain Origin: is not the same as in origin draft (scheme:URI:port) Allow-From: one or more origins (parsing) Behavior in case of a fail: “No-Frame page” Interdependencies with CSP (frame-ancestor) 6

Frame-Options - Allow-From Allow-From: from only one location Reasons: 1. Privacy of other allowed framing sites 2. Keep size of http header small 3. Not to handle on web servers but in application Procedure: Origin of requesting page will be verified dynamically by the server and answer with matching Allow-From if authorized. 7

Frame-Options – future steps Other approaches: CSP defining framed-by policy: CSP authors indicated to support Frame-Options instead of part of CSP The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") about half page document appeared a few weeks ago as an FPWD in the W3C Webapps WG: webapps/2011JulSep/0088.html webapps/2011JulSep/0088.html Includes idea control of other embedded objects like fonts, images. 8

Frame-Options – future steps Do we want to work on this in websec? Review volunteers Already received a number of reviews, but more never hurts 9

Thank you 10

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.