Combating ClickJacking With X-Frame-Options - EricLaw's IEInternals. Back in January of 2009, I announced IE8’s support for a new header-specified directive: X-Frame-Options, that can be used to mitigate ClickJacking attacks.
As a declarative security measure, X-Frame-Options has minimal compatibility impact, but requires adoption by clients and servers in order to provide its security benefit. Since its introduction in IE8, we’ve seen a number of sites and other browsers adopt support for this directive as a mechanism to prevent malicious framing of content (called “ClickJacking” or “UI Redress” attacks), since frame-busting scripts can be defeated. You can determine if your browser supports the X-Frame-Options directive using this test page.
When permission to frame is denied, some browsers (e.g. IE, Opera) will show a message that allows the user to safely open the target page in a new window. Browsers Supporting X-Frame-Options IE8+Opera 10.50+Safari 4+Chrome 220.127.116.112+ (Allow-From not yet supported)Firefox 3.6.9 (or earlier with NoScript) X-Frame-Options something web developers should know. X-Frame-Options Originally invented by Microsoft for IE8, but supported by a number of browsers, this idea might have more uses than what it was intended for originally.
Let's have a bit deeper a look at what it is and how we can use it. What is it good for? Originally is was intended as a way to prevent clickjacking. To understand clickjacking, let's first look at Cross Site Request Forgery (CSRF). Clickjacking is a way to trick visitors into interacting with a victim website without the user knowing he's doing it by e.g. overlaying other things such as images over the elements. Framebusting is a common technique to prevent clickjacking, sadly framebusting can be defeated. X-Frame-Options was introduced in a beta release of IE8 as an alternative. So what is X-Frame-Options?
It's a HTTP response header. HTTP, not HTML! What does it not do? It doesn't protect your web site from being a victim from clickjacking as by far not all browsers support it. So you still need all the other measures too. Adoption of X-FRAME-OPTIONS Header. Late 2008, Jeremiah Grossman and Robert Hansen publicized the clickjacking problem and got the web app security experts all trying to come up with solutions.
One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame. There are two settings to this header, DENY blocks the content from being in a frame and SAMEORIGIN only allows the content to be framed by pages within the same origin. While it is not the end all and be all of clickjacking solution and won't work in some sites that extensively use frames across multiple sites, it is considered as a more reasonable approach for sites to protect their own content.
Johannes Ullrich and I got a little curious about the adoption of X-FRAME-OPTIONS header in the major sites. We went and got the list of top sites according to Alexa and see if the top sites actually use X-FRAME-OPTIONS header. IEBlog : IE8 Security Part VII: ClickJacking Defenses. As we planned Internet Explorer 8, our security teams analyzed the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next.
Over the course of IE8’s development, we’ve also worked closely with those in the security research community to stay on top of new classes of threats. One of the most subtle and interesting web application security vulnerabilities is called Cross Site Request Forgery (CSRF); security researcher Jeremiah Grossman calls CSRF “the sleeping giant” of web vulnerabilities. As Jeremiah notes, preventing CSRF attacks is hard because there’s generally no easy fix. The architectural underpinnings of the browser security model are designed to allow for interaction with multiple websites simultaneously, and seamless navigation between unrelated websites, but these are the very capabilities that CSRF attacks seek to exploit. Obviously, this is a pretty simple ClickJacking attack, but more sophisticated versions do exist.