Sharovatov’s Weblog

X-FRAME-OPTIONS

Posted in no category by sharovatov on 22 January 2012

This X-FRAME-OPTIONS HTTP header invented by Microsoft for IE8 provides an easy way to work around Clickjacking security issue (see this great paper for even more details). The main article explaining how X-FRAME-OPTION works is this: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Basically, here’s what behaviour you get with different X-FRAME-OPTIONS values:

DENY browser will not render the iframe contents in any case
SAMEORIGIN browser will only render the iframe contents if host page origin is the same as the iframe page origin
ALLOW FROM http://host browser will only render the iframe contents if the iframe host is http://host

Please note that specifying the header in META tag won’t work.

Good news – all browsers vendors copied this from Microsoft and now we’ve got all modern browsers supporting this header (Firefox 3.6.9, IE8, Opera 10.50, Safari 4.0, Chrome 4.1).

Unfortunately, for some reason only Opera and IE show a meaningful message why the frame was blocked, all others just display the empty iframe (it’s especially weird for Firefox, which should show the warning as per their bugzilla):

image

In any case, study the security papers I linked to above to understand how the attack works and what it can do to your visitors or your business.

However, if you strongly believe no one should embed your page in an iframe – then your silver bullet is to add X-FRAME-OPTIONS: DENY to all the pages you serve.

P.S. X-FRAME-OPTIONS is now proposed to IETF: http://tools.ietf.org/html/draft-gondrom-frame-options-01

One Response

Subscribe to comments with RSS.

  1. Koti Borra said, on 3 June 2014 at 6:12 am

    How can I ignore all X-FRAME-OPTIONS headers. Like in chrome there is an plugin “Ignore X-FRAME-HEADERS”.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: