homepage Welcome to WebmasterWorld Guest from 54.167.11.16
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
X-Frame-Options something web developers should know
swa66




msg:4022869
 3:21 am on Nov 11, 2009 (gmt 0)

X-Frame-Options

Originally invented by Microsoft for IE8, but supported by a number of browsers, this idea might have more uses than what it was intended for originally.
Let's have a bit deeper a look at what it is and how we can use it.

What is it good for?

Originally is was intended as a way to prevent clickjacking.

To understand clickjacking, let's first look at Cross Site Request Forgery (CSRF). CSRF is abusing the ability of browsers to interact with multiple servers at the same time. So you're logged in into your bank and the attacker tricks you in clicking on a link that send him some money.
good websites protect themselves from this by e.g. using request tokens to make sure the request being received is intentional.
Many websites are vulnerable to various forms of CSRF, some even argue the majority of websites that interact with users are vulnerable somewhere.

Clickjacking is a way to trick visitors into interacting with a victim website without the user knowing he's doing it by e.g. overlaying other things such as images over the elements.

Framebusting is a common technique to prevent clickjacking, sadly framebusting can be defeated.

X-Frame-Options was introduced in a beta release of IE8 as an alternative.

So what is X-Frame-Options?

It's a HTTP response header.

HTTP, not HTML!

It can be used to prevent framing of the pages that are delivered to browsers in the browser: the browser simply refuses to render the page in a frame if the header is present dependign on the set value.

Values are

  • DENY: Stops all framing
  • SAMEORIGIN: Stops framing except for the same website that delivered the page itself. (Allowing http://www.example.com/ to frame pages served from http://www.example.com/ with X-Frame-Options set to this value)

What does it not do?

It doesn't protect your web site from being a victim from clickjacking as by far not all browsers support it. E.g. Microsoft neglected to backport it to still widely popular IE6 and IE7 browsers.

So you still need all the other measures too.

Note that it's something that doesn't need javascript, has little odds of being defeated by smart attackers as long as the browser supports it, so it's not without merit.

Alternative to framebusting ?

Since the X-Frame-Options is in the security world an additional measure somewhat similar to where framebustng could be used, isn't it also an alternative to framebusting in other web master areas ?

Sure it is: just remember that instead of taking over the entire tab, the browser will not render it at all. And your regular framebusting javascript has no chance as it'll not get loaded if the browser support this.

Browsers that support it

  • IE8
  • Safari
  • Chrome
  • Firefox with the NoScript addon

It's not backported to IE6 and IE7

How to send out the header using IIS

Open the Internet Service Manager
HTTP Headers tab
in the Custom Headers section: Add...

Custom Header Name: X-Frame-Options
Custom Header Value: "DENY" or "SAMEORIGIN" (without the quotes).

Can anybody confirm/correct this (I don't run IIS) ?

How to send out the header using apache

Add this to your httpd.conf:
Header always append X-Frame-Options SAMEORIGIN

Other ways to set X-Frame-Options

If you generate you page on the server and can change the HTTP headers, you can add it from your server side scripts.
PHP, JavaEE, .NET etc all can set it there.

Links

Note this isn't new, it's just something that I found a bit under-covered out here.

 

httpwebwitch




msg:4023109
 12:40 pm on Nov 11, 2009 (gmt 0)

A truly useful addition to HTTP. Anyone involved in web security should learn about this!

How to send out the header using PHP:
<?php
header("X-Frame-Options: SAMEORIGIN");
?>

dertyfern




msg:4025198
 9:18 am on Nov 15, 2009 (gmt 0)

Great info. Tried this with II6 but doesn't seem to work.

blend27




msg:4025257
 3:01 pm on Nov 15, 2009 (gmt 0)

IIS6, Added the header with Value DENY:

FF3.5
This content cannot be displayed in a frame
To protect your security, the publisher of this content does not allow it to be displayed in a frame. :)
Click here to open this content in a new window
--------
Safari 4.0.3 Get a blank Screen :)
--------
Opera 9.64 Displays the content :(
--------
IE7 Displays the content :(
--------
IE8 Blocks the content ! :)

Thanks for the heads up.

Pfui




msg:4025322
 7:18 pm on Nov 15, 2009 (gmt 0)

Apache (1.3.x) variations on a theme... A-OK in .htaccess:

Header append X-FRAME-OPTIONS "SAMEORIGIN"
(or)
Header append X-FRAME-OPTIONS "DENY"

jamie




msg:4025655
 8:49 am on Nov 16, 2009 (gmt 0)

then this would also block google image search top frame?

kaled




msg:4025799
 2:59 pm on Nov 16, 2009 (gmt 0)

This is not a subject I have ever considered, however, wouldn't this be unnecessary if browsers refused to display framed contents in a secure page unless the security certificate matched that of the parent frame (and ajax was similarly blocked). I guess the reverse would also have to be blocked (i.e. displaying a secure page within a standard page).

Perhaps I am missing something!

Kaled.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved