Presentation is loading. Please wait.

Presentation is loading. Please wait.

(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.

Published byJacob Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1."— Presentation transcript:

1 (draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1

2 1. History 2. Use Cases 3. Draft 4. TBD 5. Future steps 2

3 Frame-Options - History X-Frame-Options widely deployed/used to prevent XSS, CSRF First draft as result from Beijing and OWASP Summit: Running code and (some) consensus by implementers in using X-FRAME-OPTIONS HTTP-Header: DENY: cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN: can only be displayed if the top- frame is of the same “origin” as the page itself. 3

4 Frame-Options – Example Use-Cases A.1. Shop An Internet Marketplace/Shop link/button to "Buy this" Gadget, wants their affiliates to be able to stick the "Buy such-and-such from XYZ" IFRAMES into their pages. A.2. Confirm Purchase Page Onlineshop "Confirm purchase" anti-CSRF page. The Confirm Purchase page must be shown to the end user without possibility of overlay or misuse by an attacker. 4

5 Frame-Options - draft Frame-Options In EBNF: Frame-Options = "Frame-Options" ":" "DENY"/ "SAMEORIGIN" / ("ALLOW-FROM" ":" Origin-List) DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN: can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM: can only be displayed in a frame on the specified origin(s) 5

6 6. Frame-Options - TBD Allowed framing: only top-level or whole frame chain Origin: is not the same as in origin draft (scheme:URI:port) Allow-From: one or more origins (parsing) Behavior in case of a fail: “No-Frame page” Interdependencies with CSP (frame-ancestor) 6

7 Frame-Options - Allow-From Allow-From: from only one location Reasons: 1. Privacy of other allowed framing sites 2. Keep size of http header small 3. Not to handle on web servers but in application Procedure: Origin of requesting page will be verified dynamically by the server and answer with matching Allow-From if authorized. 7

8 Frame-Options – future steps Other approaches: CSP defining framed-by policy: CSP authors indicated to support Frame-Options instead of part of CSP The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") about half page document appeared a few weeks ago as an FPWD in the W3C Webapps WG: http://lists.w3.org/Archives/Public/public- webapps/2011JulSep/0088.html http://lists.w3.org/Archives/Public/public- webapps/2011JulSep/0088.html Includes idea control of other embedded objects like fonts, images. 8

9 Frame-Options – future steps Do we want to work on this in websec? Review volunteers Already received a number of reviews, but more never hurts 9

10 Thank you 10

Download ppt "(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1."

Similar presentations

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
OWASP Periodic Table of Vulnerabilities James Landis

OWASP Periodic Table of Vulnerabilities James Landis
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Agenda Tobias Gondrom July 2011 Websec WG IETF 81 1.

Agenda Tobias Gondrom July 2011 Websec WG IETF 81 1.
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
 To publish information for global distribution, one needs a universally understood language, a kind of publishing mother tongue that all computers may.

 To publish information for global distribution, one needs a universally understood language, a kind of publishing mother tongue that all computers may.
Understand Web Page Development 98-361 Software Development Fundamentals LESSON 4.1.

Understand Web Page Development Software Development Fundamentals LESSON 4.1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.
 A chunk of code that you can imbed in an existing envronment  Differences › Resides: desktop or web › Embedding: any page or application or limited.

 A chunk of code that you can imbed in an existing envronment  Differences › Resides: desktop or web › Embedding: any page or application or limited.
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
Chapter 14: Personalization and TrustCopyright © 2004 by Prentice Hall User-Centered Website Development: A Human- Computer Interaction Approach.

Chapter 14: Personalization and TrustCopyright © 2004 by Prentice Hall User-Centered Website Development: A Human- Computer Interaction Approach.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Internet Basics.

Internet Basics.
Application Layer. Applications A program or group of programs designed for end users. A program or group of programs designed for end users. Software.

Application Layer. Applications A program or group of programs designed for end users. A program or group of programs designed for end users. Software.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Similar presentations

Ads by Google