Presentation is loading. Please wait.

Presentation is loading. Please wait.

(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom March 2011 Frame-Options 1.

Published bySophia Pope Modified over 9 years ago

Similar presentations

Presentation on theme: "(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom March 2011 Frame-Options 1."— Presentation transcript:

1 (draft-gondrom-frame-options-01) David Ross, Tobias Gondrom March 2011 Frame-Options 1

2 1. History 2. Use Cases 3. Draft 4. TBD 5. Next steps 2

3 Frame-Options - History X-Frame-Options First draft as result from Beijing and OWASP Summit: Running code and (some) consensus by implementers in using X-FRAME-OPTIONS HTTP-Header: DENY: cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN: can only be displayed if the top- frame is of the same “origin” as the page itself. 3

4 Frame-Options – Example Use-Cases A.1. Shop An Internet Marketplace/Shop link/button to "Buy this" Gadget, wants their affiliates to be able to stick the "Buy such-and-such from XYZ" IFRAMES into their pages. A.2. Confirm Purchase Page Onlineshop "Confirm purchase" anti-CSRF page. The Confirm Purchase page must be shown to the end user without possibility of overlay or misuse by an attacker. 4

5 Frame-Options - draft X-Frame-Options In EBNF: Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" / ("ALLOW-FROM" ":" Origin-List) DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN: can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM: can only be displayed in a frame on the specified origin(s) 5

6 6. Frame-Options - TBD Allowed framing: only top-level or whole frame chain Origin: is not the same as in origin draft (scheme:URI:port) Allow-From: one or more origins (parsing) Behavior in case of a fail: “No-Frame page” Interdependencies with CSP (frame-ancestor) 6

7 6. Frame-Options – next steps Do we want to work on this in websec? Review volunteers Editor volunteers 7

8 Thank you 8

Download ppt "(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom March 2011 Frame-Options 1."

Similar presentations

Enter www.enom.com Click Register – Top Right. Fill In Information Click Create Account.

Enter Click Register – Top Right. Fill In Information Click Create Account.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Agenda Tobias Gondrom July 2011 Websec WG IETF 81 1.

Agenda Tobias Gondrom July 2011 Websec WG IETF 81 1.
R esponsible P urchasing P olicy A Solution to CSR & Forest Protection Greenpeace/LIU Bing 2008.06.18/19 Beijing.

R esponsible P urchasing P olicy A Solution to CSR & Forest Protection Greenpeace/LIU Bing /19 Beijing.
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
 To publish information for global distribution, one needs a universally understood language, a kind of publishing mother tongue that all computers may.

 To publish information for global distribution, one needs a universally understood language, a kind of publishing mother tongue that all computers may.
(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.

(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.
Together and UML Greg Johnson CSE 230 – Software Engineering Spring 2007.

Together and UML Greg Johnson CSE 230 – Software Engineering Spring 2007.
Create slices and hotspots Create links in Web pages Create rollovers from slices Create basic animation Add tweening symbol instances to create animation.

Create slices and hotspots Create links in Web pages Create rollovers from slices Create basic animation Add tweening symbol instances to create animation.
New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.
Javascript Document Object Model. How to use JavaScript  JavaScript can be embedded into your html pages in a couple of ways  in elements in both and.

Javascript Document Object Model. How to use JavaScript  JavaScript can be embedded into your html pages in a couple of ways  in elements in both and.
Visual Basic Prototyping Visual Basic uses both a Visual Editor and is Code Based. With several simple lines of code, Visual Basic will navigate between.

Visual Basic Prototyping Visual Basic uses both a Visual Editor and is Code Based. With several simple lines of code, Visual Basic will navigate between.
Computer viruses By: Shannon Simonian. What is a computer virus?  -Shares traits of a biological virus in people.  -Computer viruses pass from computer.

Computer viruses By: Shannon Simonian. What is a computer virus?  -Shares traits of a biological virus in people.  -Computer viruses pass from computer.
MGMT 230 Lab 1 HTML Basics. 2 HTML Tags An HTML document contains both document content and tags. The tags are the HTML codes inserted in a document to.

MGMT 230 Lab 1 HTML Basics. 2 HTML Tags An HTML document contains both document content and tags. The tags are the HTML codes inserted in a document to.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
JavaScript, Third Edition

JavaScript, Third Edition
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch.

Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch.

Similar presentations

Ads by Google