#578: Require embedees to opt-in.

Visit on Github.

Opened Nov 25, 2020

Guten TAG!

I'm requesting a TAG review of requiring embedees to opt-into (rather than -out of) being embedded in cross-origin documents.

Documents can embed anything they like via <frame>, <iframe>, etc., exposing those embedded resources to a number of attacks, ranging from the well-known risks of clickjacking to the less-understood side-channel risks of XSLeaks and Spectre. Developers can mitigate these risks by choosing to limit the ways in which particular resources can be embedded. The X-Frame-Options header and CSP's more-granular frame-ancestors directive both provide developers with a measure of defense, but developers must choose to use them.

We should change the web's defaults such that an explicit declaration is necessary to enable cross-origin embedding a given document. That is, we'd treat the absence of an explicit X-Frame-Options or frame-ancestors declaration as having more or less the same behavior as X-Frame-Options: SAMEORIGIN.

  • Explainer¹ (minimally containing user needs and example code): https://github.com/mikewest/embedding-requires-opt-in
  • Security and Privacy self-review²: This is a strict reduction in the ability to embed documents, with direct (positive) effect on attackers' ability to exploit side-channels to gain access to other origins' data.
  • GitHub repo (if you prefer feedback filed there): https://github.com/mikewest/embedding-requires-opt-in
  • Primary contacts (and their relationship to the specification):
    • Mike West (@mikewest, Google)
  • Organization/project driving the design: Google
  • External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): None yet. You're my first stop.

Further details:

  • I have reviewed the TAG's API Design Principles
  • The group where the incubation/design work on this is being done (or is intended to be done in the future): WICG (or just an issue against HTML)
  • The group where standardization of this work is intended to be done ("unknown" if not known): WHATWG
  • Existing major pieces of multi-stakeholder review or discussion of this design: None.
  • Major unresolved issues with or opposition to this design: None known.
  • This work is being funded by: Google.

We'd prefer the TAG provide feedback as leave review feedback as a comment in this issue and @-notify @mikewest.

Thanks for your work!

Discussions

2021-01-Kronos

Minutes

No issues except compat concerns.