- What is X-Frame-Options response header? What is the implication
    of setting it ?
  - What are the different options for X-Frame-Options response
    header ?
  - What are the other considerations ?
  - Does Single Sign-On Web Agent have support for X-Frame-Options
    response header ?

Version : R12.8.6a

The X-Frame-Options HTTP response header can be used to indicate
whether or not a browser should be allowed to render a page in a
<frame> or <iframe>. Sites can use this to avoid Clickjacking attacks,
by ensuring that their content is not embedded into other sites
(1)(2)(3).

X-Frame-Options Header Types

There are three possible values for the X-Frame-Options header:

 - DENY : which prevents any domain from framing the content. The
          "DENY" setting is recommended unless a specific need has been
          identified for framing.
 
 - SAMEORIGIN : which only allows the current site to frame the
                content.

 - ALLOW-FROM uri : which permits the specified 'uri' to frame this
                    page. (e.g., ALLOW-FROM http://www.example.com)
   
Browser Support

The following browsers support X-Frame-Options headers.

  | Browser           | DENY/SAMEORIGIN Support Introduced | ALLOW-FROM Support Introduced   |
  |-------------------+------------------------------------+---------------------------------|
  | Chrome            | 4.1.249.1042 (4)                   | Not supported/Bug reported (5)  |
  | Firefox (Gecko)   | 3.6.9 (1.9.2.9) (6)                | 18.0 (7)                        |
  | Internet Explorer | 8.0 (8)                            | 9.0 (9)                         |
  | Opera             | 10.50                              |                                 |
  | Safari            | 4.0 (10)                           | Not supported/Bug reported (11) |

Note :

X-Frame-Options Deprecated While the X-Frame-Options header is
supported by the major browsers, it was never standardized and has
been deprecated in favour of the frame-ancestors directive from the
CSP Level 2 specification.

Single Sign-on Web Agent support for X-Frame-Options

Single Sign-on Web Agent r12.5 (as of CR5) does not have support for
XFrameOptions ACO Parameter.

It also drops the X-Frame-Options header even if the header is set
from the Web Server directly.

For e.g To configure Apache to send the X-Frame-Options header for all
pages, you will add following configuration to your site's
configuration (httpd.conf):

   Header always append X-Frame-Options SAMEORIGIN

However, even when you have this, if the WebSite is protected by
SiteMinder web agent, it drops this header from reaching to the
client/browser.

In other words, Single Sign-on Web Agent doesn't honor the web-server
setting for X-Frame-Options.

Single Sign-on Web Agent r12.51 CR4 and above does have support for
XFrameOptions ACO Parameter.

The options for the XFrameOptions parameter are the same as the values
for the X-Frame-Options response header:

   Options: DENY, SAMEORIGIN, ALLOW-FROM uri

r12.51 CR4 and above Web Agent, also do honor this header if it is
being set by the WebServer itself and let the header pass to the
client/browser.

(1)

    Clickjacking Defense Cheat Sheet - OWASP
    https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types

(2)

    The X-Frame-Options response header - HTTP | MDN
    https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

(3)

    Help Prevent Attacks
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks.html

(4)

    Security in Depth: New Security Features
    http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html

(5)

    Issue 129139: Chrome not support Allow-From in X-Frame-Options header
    https://code.google.com/p/chromium/issues/detail?id=129139

(6)

    X-Frame-Options
    https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header
    

(7)

    Implement Allow-From syntax for X-Frame-Options
    https://bugzilla.mozilla.org/show_bug.cgi?id=690168
    

(8)

    Clickjacking Defense in IE8
    https://www.microsoft.com/security/blog/2009/02/05/clickjacking-defense-in-ie8/

(9)

   X-Frame-Options Compatibility Test
   http://erlend.oftedal.no/blog/tools/xframeoptions/

(10)

   Apple Safari jumbo patch: 50+ vulnerabilities fixed
   http://www.zdnet.com/blog/security/apple-safari-jumbo-patch-50-vulnerabilities-fixed/3541
   

(11)

   Bug 94836 - Support for X-Frame-Options: Allow-From [uri]
   https://bugs.webkit.org/show_bug.cgi?id=94836