- What is X-Frame-Options response header? What is the implication
of setting it ?
- What are the different options for X-Frame-Options response
header ?
- What are the other considerations ?
- Does Single Sign-On Web Agent have support for X-Frame-Options
response header ?
Version : R12.8.6a
The X-Frame-Options HTTP response header can be used to indicate
whether or not a browser should be allowed to render a page in a
<frame> or <iframe>. Sites can use this to avoid Clickjacking attacks,
by ensuring that their content is not embedded into other sites
(1)(2)(3).
X-Frame-Options Header Types
There are three possible values for the X-Frame-Options header:
- DENY : which prevents any domain from framing the content. The
"DENY" setting is recommended unless a specific need has been
identified for framing.
- SAMEORIGIN : which only allows the current site to frame the
content.
- ALLOW-FROM uri : which permits the specified 'uri' to frame this
page. (e.g., ALLOW-FROM http://www.example.com)
Browser Support
The following browsers support X-Frame-Options headers.
| Browser | DENY/SAMEORIGIN Support Introduced | ALLOW-FROM Support Introduced |
|-------------------+------------------------------------+---------------------------------|
| Chrome | 4.1.249.1042 (4) | Not supported/Bug reported (5) |
| Firefox (Gecko) | 3.6.9 (1.9.2.9) (6) | 18.0 (7) |
| Internet Explorer | 8.0 (8) | 9.0 (9) |
| Opera | 10.50 | |
| Safari | 4.0 (10) | Not supported/Bug reported (11) |
Note :
X-Frame-Options Deprecated While the X-Frame-Options header is
supported by the major browsers, it was never standardized and has
been deprecated in favour of the frame-ancestors directive from the
CSP Level 2 specification.
Single Sign-on Web Agent support for X-Frame-Options
Single Sign-on Web Agent r12.5 (as of CR5) does not have support for
XFrameOptions ACO Parameter.
It also drops the X-Frame-Options header even if the header is set
from the Web Server directly.
For e.g To configure Apache to send the X-Frame-Options header for all
pages, you will add following configuration to your site's
configuration (httpd.conf):
Header always append X-Frame-Options SAMEORIGIN
However, even when you have this, if the WebSite is protected by
SiteMinder web agent, it drops this header from reaching to the
client/browser.
In other words, Single Sign-on Web Agent doesn't honor the web-server
setting for X-Frame-Options.
Single Sign-on Web Agent r12.51 CR4 and above does have support for
XFrameOptions ACO Parameter.
The options for the XFrameOptions parameter are the same as the values
for the X-Frame-Options response header:
Options: DENY, SAMEORIGIN, ALLOW-FROM uri
r12.51 CR4 and above Web Agent, also do honor this header if it is
being set by the WebServer itself and let the header pass to the
client/browser.
(1)
Clickjacking Defense Cheat Sheet - OWASP
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types
(2)
The X-Frame-Options response header - HTTP | MDN
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
(3)
Help Prevent Attacks
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks.html
(4)
Security in Depth: New Security Features
http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html
(5)
Issue 129139: Chrome not support Allow-From in X-Frame-Options header
https://code.google.com/p/chromium/issues/detail?id=129139
(6)
X-Frame-Options
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header
(7)
Implement Allow-From syntax for X-Frame-Options
https://bugzilla.mozilla.org/show_bug.cgi?id=690168
(8)
Clickjacking Defense in IE8
https://www.microsoft.com/security/blog/2009/02/05/clickjacking-defense-in-ie8/
(9)
X-Frame-Options Compatibility Test
http://erlend.oftedal.no/blog/tools/xframeoptions/
(10)
Apple Safari jumbo patch: 50+ vulnerabilities fixed
http://www.zdnet.com/blog/security/apple-safari-jumbo-patch-50-vulnerabilities-fixed/3541
(11)
Bug 94836 - Support for X-Frame-Options: Allow-From [uri]
https://bugs.webkit.org/show_bug.cgi?id=94836