X-Frame-Options

Sid Stamm

4

One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages.

A website can choose to include the x-frame-options header to protect against malicious framing of web content by third parties. For example a malicious site might frame a website from another domain and surround the framed site with advertisements. Alternatively, a malicious site could use a CSS layer attack called ClickJacking to trick users into performing unintended actions within the framed website that is obscured by overlaid CSS layers.

The x-frame-options header supports the following values:
SAMEORIGIN – allows only sites from the same domain to frame the page
DENY – prevents any site from framing the page

Additional Reading:
Mozilla Developer Network article
Microsoft Developer Network article
OWASP Clickjacking Article

Michael Coates
Web Security

4 responses

  1. Ken Saunders wrote on ::

    So something like this?

    meta name=”X-FRAME-OPTIONS” content=”DENY” />

    meta name=”X-FRAME-OPTIONS” content=”SAMEORIGIN” />

  2. Ian Macfarlane wrote on ::

    Along the lines of what Ken asked, does the http-equiv meta tag work? E.g.:

    <meta http-equiv=”X-FRAME-OPTIONS” content=”DENY”>
    <meta http-equiv=”X-FRAME-OPTIONS” content=”SAMEORIGIN”>

  3. Daniel Veditz wrote on :

    “the directive is ignored if specified in a META tag” according to
    http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx so that’s what we’ve done. There’s no official spec so “compatibility with IE” (which introduced the feature) is the goal.

    If browsers behave slightly differently with respect to security features hackers can exploit those differences to attack sites who thought they they were secure.

  4. Eric Lawrence [MSFT] wrote on ::

    IE will ignore the directive if specified in a META tag, and other browsers probably ought to, because the META tag might not be received until information has already rendered in the subframe.

    http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx