Monday, August 30, 2010

X-Frame-Options Support in Firefox

Concerned about clickjacking or tired of sites wrapping your content with their ads?  The solution is x-frame-options and it will be supported in Firefox as of 3.6.9 (grab a build now if you'd like to try it out)

What is x-frame-options? 
x-frame-options is a header value that is set by the webserver which instructs supported browsers on whether to allow a particular page to be framed by other pages. The intention is to prevent the following:

HTML from

ads, phishing, clickjacking, etc
<iframe src=""></iframe>

Valid values for x-frame-options
When setting the x-frame-options on the webserver you will need to select between two options - 

SAMEORIGIN - allows only sites from the same domain to frame the page
DENY - prevents any site from framing the page

Where is x-frame-options needed?
You could choose to simply add the x-frame-options header to every response sent from your webserver. That would work but there is at least one interesting byproduct of that approach - this would break the ability for your site to be listed in google images search since even the images would have the x-frame-options header. That might not be a big deal, but it is interesting to consider what items, if any, you do want to be framed by third parties.

However, the bare-minimum to prevent against clickjacking attacks is to set the x-frame-options header for any page that allows a user to make a state changing operation. Think login forms, confirmation pages, update pages, etc.  Here is a basic rule to remember where x-frame-options must be used.

If you are adding a CSRF token to a page then you also need x-frame-options header.  

Don't be confused and think that x-frame-options is dependant upon a CSRF token - thats not the case. But both controls are used to prevent the unintended completion of a state-changing operation without the user's consent. Therefore, it is generally true that a page which needs one of these controls would also need the other.
Use DENY unless you are aware of specific (and authorized) framing of your pages from other pages on your domain. DENY is the more restrictive behavior and is the best way to protect your site.

Why not use frame busting JavaScript?
Frame busting JavaScript is a cat and mouse game that is fragile and often dependent upon particularities of each browser. There is frame busting code and frame-busting-busting code. The frame-busting JavaScript approach is flimsy and requires a lot of work for mediocre results.

Supported Browsers
Firefox 3.6.9 & 4  (and older Firefox versions with NoScript add-on)
IE 8+
Opera 10.50
Safari 4

Additional Reading

-Michael Coates

Thursday, August 19, 2010

Facebook Places - You Don't Control Your Own Location

Facebook has introduced a new feature, places, that allows you to broadcast where you are currently located.  An interesting point that has been brought up by several people; by default, the user is not in control of their own location.
If you are signed up for places then any of your friends can tag you at any location of their choosing - whether or not you are actually there. Of course, there is supposedly a preference setting to disable this. But, I spent a few minutes looking through the FAQ and my privacy settings and all I saw was an option to restrict who could view my location.  I couldn't easily find an option to actually prevent others from tagging me. However, according to the FAQ you do have the option of looking for every instance of a friend tagging you and manually remove yourself each time :/

I think the argument about privacy and facebook has been beat to death. There really isn't anything left to say. By using facebook you are either consciously, or unconsciously, surrendering all of your data to someone or some advertising corporation.  However, this new "feature" adds a whole new level to the discussion.

What impact will location tracking have on people's safety?  How many users will quickly enable this new feature and continually broadcast their current location to the world?  Will users fake the location of others in order to lure someone to a particular place?

Facebook has thought of one scenario and added this information to their FAQ.

It's good to consider the impact on kids and the necessity for additional controls, but does restricting this information to only their friends actually do anything? The average facebook user will friend anyone they remotely know or have talked to long enough to exchange profile info. In reality, this restriction does not really accomplish much of anything. The average child on facebook will be sharing their location data with hundreds of their "friends"

The last thing to consider is facebook's track record on protecting data. How long will it be until advertisers find a way to pilfer this data from people? Or what about the next privacy setting overhaul which changes the defaults or makes it more difficult to control who sees your location data?

Geo tagging is nothing new. What is new is the integration of this technology with facebook - a company with a huge user base and a history of disregarding the security and privacy of users.

-Michael Coates

Monday, August 16, 2010

Mozilla at OWASP AppSecUSA

Several Mozilla employees will be attending this year's OWASP AppSecUSA event held in Irvine, CA (Sept 7-10).  OWASP conferences focuse entirely on application security and are considered the premier event for this area of security.

I encourage you to check out the event and considering attending yourself. This conference is great for developers, security engineers, and anyone interested in the rapidly growing field of application security.

I will be presenting on Friday on the integration of ESAPI and AppSensor. I will also be discussing how AppSensor ideas are being integrated into Mozilla applications for real time attacker detection.  In addition, Mozilla will be tending a booth with demos and information on Content Security Policy, a great security addition to Firefox that will be coming soon. Stop by, say hello, and find out how you can leverage CSP in your websites.

Conference registration link

-Michael Coates