<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi Erlend, <br>
      FYI: actually we are currently working on rolling the "Allow-From"
      into the next version of XFO for all browsers, which in this case
      then will be Frame-Options (without the "X-"). <br>
      An alternative route we currently analyse is to wrap FO into CSP,
      but there are some technical problems with that. Would expect all
      to be sorted and done by Q1 2013. <br>
      Best regards, Tobias<br>
      <br>
      Ps.: the current XFO:
      <a class="moz-txt-link-freetext" href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00">http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00</a><br>
      and the new FO
      <a class="moz-txt-link-freetext" href="http://tools.ietf.org/html/draft-ietf-websec-frame-options-00">http://tools.ietf.org/html/draft-ietf-websec-frame-options-00</a><br>
      <br>
      <br>
      <br>
      On 04/09/12 21:06, Erlend Oftedal wrote:<br>
    </div>
    <blockquote
      cite="mid:D1FF345DA6629344A71610FFABB0D021379FCFFB@exch01"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
      <div style="direction: ltr;font-family: Tahoma;color:
        #000000;font-size: 10pt;">I did a bit of research on
        X-frame-options a while back. At the time only IE supported
        Allow-from.<br>
        That may still hold.<br>
        <div><a moz-do-not-send="true"
            href="http://erlend.oftedal.no/blog/tools/xframeoptions/"
            target="_blank">http://erlend.oftedal.no/blog/tools/xframeoptions/</a><br>
          <br>
          Erlend<br>
          <div style="font-family:Tahoma; font-size:13px">
            <div><font color="#636363" face="Georgia,serif" size="1"><span
                  style="font-size:12px"><font color="#919191"
                    face="Georgia,serif" size="2"><span
                      style="font-size:8.5pt"><br>
                    </span></font></span></font></div>
          </div>
        </div>
        <div style="font-family: Times New Roman; color: #000000;
          font-size: 16px">
          <hr tabindex="-1">
          <div style="direction: ltr;" id="divRpF452570"><font
              color="#000000" face="Tahoma" size="2"><b>Fra:</b>
              <a class="moz-txt-link-abbreviated" href="mailto:owasp-leaders-bounces@lists.owasp.org">owasp-leaders-bounces@lists.owasp.org</a>
              [<a class="moz-txt-link-abbreviated" href="mailto:owasp-leaders-bounces@lists.owasp.org">owasp-leaders-bounces@lists.owasp.org</a>] på vegne av Eoin
              [<a class="moz-txt-link-abbreviated" href="mailto:eoin.keary@owasp.org">eoin.keary@owasp.org</a>]<br>
              <b>Sendt:</b> 4. september 2012 13:35<br>
              <b>To:</b> Jim Manico<br>
              <b>Cc:</b> Eoin Keary; <a class="moz-txt-link-abbreviated" href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a><br>
              <b>Emne:</b> Re: [Owasp-leaders] Clickjacking Defense<br>
            </font><br>
          </div>
          <div>
            <div>Sure not everyone is security savvy. They'll use older
              browsers!!</div>
            <div><br>
              Eoin Keary
              <div>Owasp Global Board</div>
              <div>+353 87 977 2988</div>
              <div><br>
              </div>
            </div>
            <div><br>
              On 4 Sep 2012, at 08:59, Jim Manico <<a
                moz-do-not-send="true"
                href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>>
              wrote:<br>
              <br>
            </div>
            <blockquote type="cite">
              <div>
                <div>It's an ineffective approach.  I'd prefer to add a
                  section saying NOT to do it and will provide the
                  Stanford article link as backup. Fair?<br>
                  <br>
                  PS: If you use an older browser you have much much
                  bigger problems....</div>
                <div><br>
                  <div>--</div>
                  <div>Jim Manico</div>
                  <div>(808) 652-3805</div>
                </div>
                <div><br>
                  On Sep 4, 2012, at 8:44 AM, Eoin Keary <<a
                    moz-do-not-send="true"
                    href="mailto:eoinkeary@gmail.com" target="_blank">eoinkeary@gmail.com</a>>
                  wrote:<br>
                  <br>
                </div>
                <blockquote type="cite">
                  <div>
                    <div>So we should mention that?? It is still a
                      common approach to cover older browsers.<br>
                      <br>
                      Eoin Keary
                      <div>Owasp Global Board</div>
                      <div>+353 87 977 2988</div>
                      <div><br>
                      </div>
                    </div>
                    <div><br>
                      On 3 Sep 2012, at 21:35, Jim Manico <<a
                        moz-do-not-send="true"
                        href="mailto:jim.manico@owasp.org"
                        target="_blank">jim.manico@owasp.org</a>>
                      wrote:<br>
                      <br>
                    </div>
                    <blockquote type="cite">
                      <div>
                        <div class="moz-cite-prefix">It's so easily
                          evadable ...<br>
                          <br>
                          <a moz-do-not-send="true"
                            class="moz-txt-link-freetext"
                            href="http://seclab.stanford.edu/websec/framebusting/framebust.pdf"
                            target="_blank">http://seclab.stanford.edu/websec/framebusting/framebust.pdf</a><br>
                          <br>
                          ... I no longer recommend the technique. If
                          there IS a good JavaScript framebusting
                          technique I'm all ears...<br>
                          <br>
                          Jim Manico<br>
                          OWASP Volunteer<br>
                          (808) 652-3805<br>
                          <br>
                          <br>
                          <br>
                        </div>
                        <blockquote type="cite">
                          <pre>The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 3 Sep 2012, at 17:58, Jim Manico <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jim.manico@owasp.org" target="_blank"><jim.manico@owasp.org></a> wrote:

</pre>
                          <blockquote type="cite">
                            <pre>I want to write a Cheat-sheet on Clickjacking defense.

I was thinking of just discussing the different framing blocking headers....

// to prevent all framing of this content 
> 
response.addHeader( "X-FRAME-OPTIONS", "DENY" ); 

// to allow framing of this content only by this site 
response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

// to allow framing from a specific domain
response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" ); 

...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.

What do you think, any thoughts on this topic?

Cheers folks,

Jim Manico
OWASP Volunteer
(808) 652-3805

_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                          </blockquote>
                        </blockquote>
                        <br>
                      </div>
                    </blockquote>
                  </div>
                </blockquote>
              </div>
            </blockquote>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>