On the X-Frame-Options Security Header

Frederik Braun

7

A few weeks ago, Mario Heiderich and I published a white paper about the X-Frame-Options security header. In this blog post, I want to summarize the key arguments for settings this security header in your web application.

X-Frame-Options is an optional HTTP response header that was introduced in 2008 and found its first implementation in Internet Explorer 8. Setting this header in your web application defines if it works within a frame element (e.g., iframe). The syntax for this header provides three options, ALLOW-FROM, DENY or SAMEORIGIN. Not sending this header implies allowing frames in general. ALLOW-FROM, however, allows whitelisting a specific origin. The opposite is, of course, DENY which means that no website is ever allowed to display your website in a frame. A common middle ground is to send SAMEORIGIN. This means that only websites of the same origin may frame it.

This blog post will highlight some attacks than can be thwarted by forbidding the framing of your document. First of all, Clickjacking. This term has gained major attention in 2008 and includes a multitude of techniques in which an evil web page can secretly include yours in a frame. But the author of this evil website will make your website transparent and present buttons on top of it. Anyone visiting this evil page will then click on something seemingly unrelated, which will actually result in mouse clicks in your web application.

A wide class of attacks on other websites leverage missing security features in the browser. Most modern browsers provide hardened security mechanisms that may easily thwart problems with content injections. The problem lies, as so often, in backwards compatibility. The most recent browser versions are obviously more secure than the previous ones. But when somebody frames your website, they can tell it to run in a compatibility mode. This feature only applies to Internet Explorer, but it will bring back the vintage rendering algorithms from IE7 (2006). In Internet Explorer, the document mode is inherited from the top window to all frames. If the evil websites runs in IE7 compatibility mode, then so does yours! This is an example of how IE7 compatibility can be triggered in any website:

<meta http-equiv="X-UA-Compatible" content="IE=7" />

If your website would not allow to be framed, your IE users were not at risk.

Another technique for possible attackers comes with window.name. This attribute of your browsing window (a tab, a popup and a frame are all windows in JavaScript’s sense) can be set by others and you cannot prevent it. The implications of this are manifold, but just for the sake of Cross-Site-Scripting (XSS) attacks it may make things for an attacker much easier. Sometimes, when an attacker is able to inject and execute scripts on your web page, he might be hindered by a length restriction. Say, for example, your website does not allow names that exceed 80 characters. Or messages that must not exceed 140. The window.name property can help bypassing these restriction in a very easy way. The attacker can just frame your website and give it a name of his liking, by supplying it in the frame’s name attribute. The JavaScript he will then execute can be as short as <svg/onload=eval(name)>, which means that it will execute the JavaScript specified in the name attribute of the frame element.

These and many other attacks are possible if you allow your web page to be displayed in a frame. Just recently, Isaac Dawson from Veracode has published a report about security headers on the top 1 million websites, which shows, that only 30,000 of them currently supply this header. However, the fact that many other sites are vulnerable to these sort of attacks is not a good reason to leave your website unprotected. You can easily address many security problems by just adding this simple header to your web application right away: If you’re using Django, check out the XFrameOptionsMiddleware. For NodeJS applications, you can use the helmet library to add security headers. If you want to set this header directly from within Apache or nginx, just take a look at the X-Frame-Options article on MDN.

7 responses

  1. Frederik Braun wrote on :

    Jesse Ruderman noted that the whole XSS trick involving `window.name` still works with Popups and Redirects – even if you *do* set X-Frame-Options. I still find it a good example as iframes can be hidden and are therefore more subtle.

  2. Eric lawrence wrote on :

    Your list of allowed values omitted the ALLOWFROM directive.

    1. Frederik Braun wrote on :

      Thank you! The post has been updated accordingly.

  3. Caleb wrote on :

    I scan the headers on a list of sites that is Alexa Top ~100,000 sites. My data supports Veracode’s data, which saw X-Frame-Options on about .03% of sites. I found X-Frame-Options on .028% of sites.

    If anyone’s interested in seeing what types of sites have adopted X-Frame-Options, the ones that I’ve detected are posted in a text file here:

    https://securityheaders.com/X-Frame-Options-sites-Dec-12-2014.txt

  4. Rohan wrote on :

    In firefox each time I click on some link, something else is opening. Is it clickjacking ?? Please help

    1. Daniel Veditz wrote on :

      That’s not “clickjacking”, which is an attack from one website on another using only standard web features. What you have is some kind of adware/malware installed on your machine. If it’s “adware” it might be as simple as an unwanted add-on or toolbar you could just remove through the add-on dialog, but more likely it will take more work to get rid of it.

      Please visit https://support.mozilla.org/ for help, or a more specialized anti-malware site like https://forums.malwarebytes.org/ , or http://www.bleepingcomputer.com/forums/ or http://forums.majorgeeks.com/ to name a few

      1. Rohan wrote on :

        Hi Daniel, I thought such adwares can only be installed on windows, are there such available for Mac as well