Originally invented by Microsoft for IE8, but supported by a number of browsers, this idea might have more uses than what it was intended for originally.
Let's have a bit deeper a look at what it is and how we can use it.
What is it good for?
Originally is was intended as a way to prevent clickjacking.
To understand clickjacking, let's first look at Cross Site Request Forgery (CSRF). CSRF is abusing the ability of browsers to interact with multiple servers at the same time. So you're logged in into your bank and the attacker tricks you in clicking on a link that send him some money.
good websites protect themselves from this by e.g. using request tokens to make sure the request being received is intentional.
Many websites are vulnerable to various forms of CSRF, some even argue the majority of websites that interact with users are vulnerable somewhere.
Clickjacking is a way to trick visitors into interacting with a victim website without the user knowing he's doing it by e.g. overlaying other things such as images over the elements.
Framebusting is a common technique to prevent clickjacking, sadly framebusting can be defeated.
X-Frame-Options was introduced in a beta release of IE8 as an alternative.
So what is X-Frame-Options?
It's a HTTP response header.
HTTP, not HTML!
It can be used to prevent framing of the pages that are delivered to browsers in the browser: the browser simply refuses to render the page in a frame if the header is present dependign on the set value.
- DENY: Stops all framing
- SAMEORIGIN: Stops framing except for the same website that delivered the page itself. (Allowing http://www.example.com/ to frame pages served from http://www.example.com/ with X-Frame-Options set to this value)
What does it not do?
It doesn't protect your web site from being a victim from clickjacking as by far not all browsers support it. E.g. Microsoft neglected to backport it to still widely popular IE6 and IE7 browsers.
So you still need all the other measures too.
Alternative to framebusting ?
Since the X-Frame-Options is in the security world an additional measure somewhat similar to where framebustng could be used, isn't it also an alternative to framebusting in other web master areas ?
Browsers that support it
- Firefox with the NoScript addon
It's not backported to IE6 and IE7
How to send out the header using IIS
Open the Internet Service Manager
HTTP Headers tab
in the Custom Headers section: Add...
Custom Header Name: X-Frame-Options
Custom Header Value: "DENY" or "SAMEORIGIN" (without the quotes).
Can anybody confirm/correct this (I don't run IIS) ?
How to send out the header using apache
Add this to your httpd.conf:
|Header always append X-Frame-Options SAMEORIGIN |
Other ways to set X-Frame-Options
If you generate you page on the server and can change the HTTP headers, you can add it from your server side scripts.
PHP, JavaEE, .NET etc all can set it there.
Note this isn't new, it's just something that I found a bit under-covered out here.