Multiple X-Frame-Options header
search cancel

Multiple X-Frame-Options header

book

Article ID: 235509

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Capture HTTP headers and find there are multiple X-Frame-Options header in the response.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

Is this a problem?
What should be done?

Environment

Release : 12.5

Component :

Cause

Web Agent will set XFO header if the ACO is configured to do so.

RFC only mentions about restriction on what the value can be but it does not mention there should only be 1 XFO header in the response.

 

https://datatracker.ietf.org/doc/html/rfc7034

2.1.  Syntax

   The header field name is:

      X-Frame-Options

   There are three different values for the header field.  These values
   are mutually exclusive; that is, the header field MUST be set to
   exactly one of the three values.

 

Following illustration demonstrates how multiple XFO headers can be returned.

In this case, depending on the URI there can be different and multiple XFO headers in the response.

1. http://<proxy>/app1/  --> XFO:DENY
2. http://<proxy>/app2/  --> XFO:DENY & XFO:SAMEORIGIN
It would even be more complicated if the XFO header is also being set at the <proxy> as there will be additional XFO header.

 

Resolution

As the RFC suggests, XFO header values should not be merged(usually by using a comma as a separator) as that would be invalid.
There should be only 1 value.

X-Frame-Options: DENY, SAMEORIGIN (Invalid)

But it is also invalid to have multiple X-Frame-Options headers.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

 

Decide which component (the frontend or the backend) will set the XFO header so there will be only ONE X-Frame-Options header in the response.

 

Additional Information

NetSparker KB Link

Powered by Wolken Software