Mozilla advises webmasters to implement X-Frame-Options security header

The header can easily solve many security problems, a Mozilla security engineer said

In light of overall low adoption of HTTP security headers, Mozilla is advising webmasters to at least implement X-Frame-Options on their sites, arguing that this header can prevent several types of attacks.

The X-Frame-Options is an HTTP response header that allows webmasters to define if and how their websites can be loaded into frame elements on other sites. It comes with three options: ALLOW, DENY and SAMEORIGIN, the latter meaning a page can only be framed by other pages with the same origin -- same domain, URI scheme and port. There's a fourth option called ALLOW-FROM, but it's not supported by all browsers.

If a site X tries to load a page from a site Y into a frame and site Y includes X-Frame-Options DENY in its responses, a modern browser visiting site X will not load the framed page.

This header was primarily created as a security mechanism against clickjacking attacks, which can be used to trick users into performing actions on websites without their knowledge.

A common clickjacking technique is to load a button from a targeted site into an iframe on an attack site and then use legitimate Web development techniques to make the framed content transparent. The framed button can be positioned over a clickable element from the attack site, so that when a site's visitor attempts to click on the visible element, they actually click on the now invisible button from the targeted website that was positioned on top.

A few years ago this type of attack was common on Facebook, attackers using it to trick users into unknowingly sharing spam messages from their accounts. However, the possibilities for clickjacking-based abuse are varied and depend on the nature of the targeted site.

Despite X-Frame-Options being relatively easy to implement, a scan of the Internet's top 1 million most trafficked websites by security firm Veracode in November, revealed thatonly around 30,000 sites were using the header and a few hundred of those were actually using it incorrectly.

Clickjacking is not the only type of attack that X-Frame-Options can prevent, Frederik Braun, a security engineer at Mozilla, said Thursday in a blog post.

For example, Internet Explorer allows websites to specify that they want to run in IE7 compatibility mode, meaning they will be rendered with algorithms from Internet Explorer 7 that date back to 2006. IE7 lacks many security mechanisms against content injection attacks that exist in the browser's newer versions, Braun said.

The problem is that a page loaded in a frame by a site running in IE7 compatibility mode will also be rendered in IE7 compatibility mode. This means attackers can frame a site in a page running in IE7 compatibility mode to defeat the security protections the targeted site would normally offer to users of recent IE versions, according to Braun.

"If the evil website runs in IE7 compatibility mode, then so does yours!" Braun said. If your website would not allow itself to be framed by using X-Frame-Options, your IE users wouldn't be at risk, he said.

Another technique that involves the window.name attribute could be used to bypass certain restrictions and more easily execute XSS (cross-site scripting) attacks when a site is loaded into a frame, the Mozilla security engineer said.

Braun recently published with another researcher a paper on X-Frame-Options that covers many attacks the header can prevent in detail.

"These and many other attacks are possible if you allow your web page to be displayed in a frame," Braun said in the Mozilla blog post. "The fact that many other sites are vulnerable to these sort of attacks is not a good reason to leave your website unprotected. You can easily address many security problems by just adding this simple header to your web application right away."

The Mozilla developers site includes information on how to configure X-Frame-Options on the Apache and Nginx Web servers and Braun's blog post contains links to instructions on how to enable the header on Web frameworks like Django and NodeJS.

Tags Web services developmentapplication developmentonline safetysecurityWeb serverssoftwaremozilla

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?