Monday, August 30, 2010

X-Frame-Options Support in Firefox

Concerned about clickjacking or tired of sites wrapping your content with their ads?  The solution is x-frame-options and it will be supported in Firefox as of 3.6.9 (grab a build now if you'd like to try it out)


What is x-frame-options? 
x-frame-options is a header value that is set by the webserver which instructs supported browsers on whether to allow a particular page to be framed by other pages. The intention is to prevent the following:

HTML from attackersite.com

<html>
ads, phishing, clickjacking, etc
<iframe src="http://yoursite.com"></iframe>
</html>

Valid values for x-frame-options
When setting the x-frame-options on the webserver you will need to select between two options - 
"SAMEORIGIN" or "DENY"

SAMEORIGIN - allows only sites from the same domain to frame the page
DENY - prevents any site from framing the page

Where is x-frame-options needed?
You could choose to simply add the x-frame-options header to every response sent from your webserver. That would work but there is at least one interesting byproduct of that approach - this would break the ability for your site to be listed in google images search since even the images would have the x-frame-options header. That might not be a big deal, but it is interesting to consider what items, if any, you do want to be framed by third parties.

However, the bare-minimum to prevent against clickjacking attacks is to set the x-frame-options header for any page that allows a user to make a state changing operation. Think login forms, confirmation pages, update pages, etc.  Here is a basic rule to remember where x-frame-options must be used.

If you are adding a CSRF token to a page then you also need x-frame-options header.  

Don't be confused and think that x-frame-options is dependant upon a CSRF token - thats not the case. But both controls are used to prevent the unintended completion of a state-changing operation without the user's consent. Therefore, it is generally true that a page which needs one of these controls would also need the other.
 
DENY or SAMEORIGIN?
Use DENY unless you are aware of specific (and authorized) framing of your pages from other pages on your domain. DENY is the more restrictive behavior and is the best way to protect your site.

Why not use frame busting JavaScript?
Frame busting JavaScript is a cat and mouse game that is fragile and often dependent upon particularities of each browser. There is frame busting code and frame-busting-busting code. The frame-busting JavaScript approach is flimsy and requires a lot of work for mediocre results.

Supported Browsers
Firefox 3.6.9 & 4  (and older Firefox versions with NoScript add-on)
IE 8+
Opera 10.50
Safari 4

Additional Reading
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
http://www.owasp.org/index.php/Clickjacking#Defending_with_response_headers



-Michael Coates