Being first to do something doesn’t automatically make it proprietary even if the first is Microsoft

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

Being first to do something doesn’t automatically make it proprietary even if the first is Microsoft

posted on Monday, June 29, 2009 3:15 AM

Somebody has to be first

Recently Microsoft came up with a solution, supported natively in IE8, to protect against clickjacking attempts. Apparently some folks have decided that because Microsoft has a history of implementing proprietary solutions that this one, too, must be proprietary. These same folks must also have very little understanding of today’s web application architectures, as they declared the solution pretty much useless based on some pretty poor assumptions regarding the implementation of said solution.

As noted in the Register, “some critics have contended the protection [X-FRAME-OPTIONS custom HTTP header] will be ineffective because it will require millions of websites to update their pages with proprietary code.”

Where to start, oh where to start…

JUST WHAT DICTIONARY WERE THEY USING?

Proprietary implies usable only by a certain subset of products: those endorsed by the creator of the “proprietary” solution. Proprietary implies peculiar to a specific technology. Proprietary implies closed. Proprietary means things like ActiveX, which only work properly on a Windows platform. Proprietary means keeping the implementation secret so no one else can implement it. Microsoft implemented a solution based on a custom HTTP header. A header, I might add, that anyone using any browser running on any platform is quite capable of seeing. A header that can be easily handled by any other browser developer, if they so choose, to implement similar behavior. A header based on accepted standards.

A custom HTTP header can be interpreted by any browser if it so chooses as well as intermediaries capable of intelligently handling HTTP. The speedy support via NoScript for X-FRAME-OPTIONS proves the solution is hardly “proprietary” and not applicable to just Microsoft’s solution.

The term proprietary is often considered synonymous with Microsoft but in this case calling the solution proprietary is simply the result of a bad habit apparently difficult for some to break.

Unlike the use of other truly proprietary solutions in the browser – like XMLHTTPRequest object before it was widely adopted as a “standard” – custom HTTP headers are about as innocuous as you can get. Their existence neither hinders nor helps browsers that don’t support it and it does absolutely no harm to applications or the user-experience to carry it along even to clients that will see no benefit from it. And if the developers of those browsers/clients decide to support it, the existence of such headers will immediately provide a benefit.

OH YEAH – ABOUT THAT OTHER ASSUMPTION YOU MADE…

“…it will require millions of websites to update their pages with proprietary code.”

Excuse me while I decide whether to laugh or have a conniption fit at this one.

This assumption shows a decided lack of understanding of architecture. While it’s certainly true that one way to support the use of X-FRAME-OPTIONS is to update web applications (let us not fall into the trap of digressing into an argument over the use of the term “pages” and “code” to describe an application…) there are are other, less disruptive, solutions.

The organizations that are most likely to be the subject of a clickjacking attack are financial institutions, retailers, and perhaps social networking sites. It seems likely that these folks have built out an architecture capable of scaling and assuring availability of their sites. If you think not true, consider how often you’ve attempted to visit one of those sites and not been able to do so. Exactly. They’re smart people; they’ve built out an environment that almost certainly involves intermediaries (load balancers, application firewalls, application switches, application delivery controllers, proxies, etc…) that do other forms of application layer inspection and, perhaps, manipulation. They have other things to worry about, after all, like data leak prevention and content filtering and stopping SQLi and other nasty attacks from destroying their critical applications. So they’ve likely already got an intermediary in place that’s capable of easily adding a custom HTTP header on the way out the door.

As I previously noted in Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox folks can use network-side scripting solutions to effortlessly insert the custom header as necessary without modifying code. If an application is comprised of say, an average of ten pages (I’m low-balling the estimate, I know that, but you can do the math on your own applications yourself), then this solution is 10 times more efficient than modifying the associated code. And network-side scripting solutions are likely already in place at most organizations that are likely to be targeted by clickjacking attacks. So all they have to do is write a little script and voila! This “proprietary, ineffective” solution starts working. Then they encourage customers to upgrade to IE8 or install the proper version of NoScript and, well, the Internet is safe again (at least for about 2.71828182845904523536 or “e” seconds).

FIRST DOESN’T MAKE IT PROPRIETARY, IT JUST MAKES IT FIRST

Just because an organization comes out with a solution first doesn’t automatically make it proprietary, unless they’ve already patented it and in that case, well it’s a whole different ball game. Microsoft saw a problem, decided on a solution, and implemented it.

What should be noted is that they did it in a way that made it possible for other browser vendors to take advantage of the same constructs to implement a similar solution. They used a custom HTTP header that’s portable and browser and operating system agnostic when they could have found any number of other, truly proprietary ways to solve this problem.

I’ve been down on Microsoft and its products in the past but in this case the software giant doesn’t deserve the negativity involved with calling this a proprietary solution. This is a far sight better than the framekiller options available today and it certainly doesn’t require the amount of work implied by these “critics” to leverage the solution.

Technorati Tags: MacVittie,F5,proprietary,clickjacking,IE8,firefox,noscript,solutions,english,definition,browsers,HTTP,headers,intermediaries,web application,architecture,application delivery,web,internet,blog,web 2.0

Related blogs & articles:

Feedback

6/29/2009 8:36 AM
		I'm not sure if you're being deliberately argumentative here, but 'proprietary' has been used for years by the development community to indicate 'vendor specific'. It might not be great english and you can nitpick over semantics all you want (I'll be the first to admit nitpicking over semantics is something web-devs do just oh-too-well), but at the end of the day what you are doing is just nitpicking. The basic fact is that, once again, Microsoft circumvented the standards community and introduced their own vendor specific solution to a problem, and they did it when blowing their own trumpet at producing their most standards compliant browser yet. Sure, their solution might be taken up by other browsers eventually, but frankly, given their history, is it really a surprise to see developers not being wildly enthusiastic about the introduction of yet another vendor specific solution? Especially one that Microsoft themselves have admitted they only included because CSP (http://people.mozilla.org/~bsterne/content-security-policy/details.html) was outside the scope of IE8 ( http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx#9382139 ), leaving us to wonder exactly how committed to this interim solution they are and how committed other browser vendors should be in supporting it.
Steerpike

7/3/2009 8:23 AM
		@Steerpike, I'm no real fan of microsoft either (and at personal risk of sounding 'nitpicky') but where do you think standards come from? XMLHttpRequest started out as a server-side API specifically for Outlook Web Access and initially was only supported by IE5. Only after this kind of introduction did it evolve into the widely used specification in use today. Stating that 'X-Frame-Options' is bad because Microsoft introduced and incorporated it into IE8 makes no sense to me. Is JavaScript bad then because Netscape introduced and incorporated it into Netscape Navigator 2.0 beta3? IE has a big problem with traditional Framekillers implemented in javascript so microsoft certainly had to do something--after all, their browser is still used by a slowly sinking majority of end-users out there. Is a standard only good if it is introduced by a non-profit and/or open source team? Do we then assume that two-thirds of HTML 5 is bad because Apple and Opera Software are two-thirds of the founding members of WHATWG? Back in April 2009, the WebKit and the Chromium teams began implementing 'X-Frame-Options' support and Safari 4 now supports it natively. The firefox NOSCRIPT add-on team support it as well although firefox native does not...yet. The fact of the matter here for me is that with standards like PCI-DSS that have strict timetables for resolution and very real penalties for a lack of implementation, solutions like X-Frame-Options that can be implemented by a web site administrator by modifying the web server configuration or by a developer by writing custom response headers in their code is pretty cool. It isn't a perfect solution but it is certainly a good start to something that could very well evolve into your vision of what this should look like and it helps protect against a very real problem today while we wait.
Chris M.

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 3 and 8 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		617		Comments		1136
Stories		0		Trackbacks		328

	Tag Cloud
	acceleration application delivery application security architecture BIG-IP blog cloud cloud computing dynamic infrastructure F5 HTTP infrastructure INfrastructure 2.0 integration internet load balancing MacVittie optimization performance scalability security SOA virtualization web web 2.0 more tags...

Post Categories

		WILS
		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization

Archives

		February, 2010 (7)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Survivability

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use