Mozilla advises webmasters to implement X-Frame-Options security header

The header can easily solve many security problems, a Mozilla security engineer said

In light of overall low adoption of HTTP security headers, Mozilla is advising webmasters to at least implement X-Frame-Options on their sites, arguing that this header can prevent several types of attacks.

The X-Frame-Options is an HTTP response header that allows webmasters to define if and how their websites can be loaded into frame elements on other sites. It comes with three options: ALLOW, DENY and SAMEORIGIN, the latter meaning a page can only be framed by other pages with the same origin -- same domain, URI scheme and port. There's a fourth option called ALLOW-FROM, but it's not supported by all browsers.

If a site X tries to load a page from a site Y into a frame and site Y includes X-Frame-Options DENY in its responses, a modern browser visiting site X will not load the framed page.

This header was primarily created as a security mechanism against clickjacking attacks, which can be used to trick users into performing actions on websites without their knowledge.

A common clickjacking technique is to load a button from a targeted site into an iframe on an attack site and then use legitimate Web development techniques to make the framed content transparent. The framed button can be positioned over a clickable element from the attack site, so that when a site's visitor attempts to click on the visible element, they actually click on the now invisible button from the targeted website that was positioned on top.

A few years ago this type of attack was common on Facebook, attackers using it to trick users into unknowingly sharing spam messages from their accounts. However, the possibilities for clickjacking-based abuse are varied and depend on the nature of the targeted site.

Despite X-Frame-Options being relatively easy to implement, a scan of the Internet's top 1 million most trafficked websites by security firm Veracode in November, revealed thatonly around 30,000 sites were using the header and a few hundred of those were actually using it incorrectly.

Clickjacking is not the only type of attack that X-Frame-Options can prevent, Frederik Braun, a security engineer at Mozilla, said Thursday in a blog post.

For example, Internet Explorer allows websites to specify that they want to run in IE7 compatibility mode, meaning they will be rendered with algorithms from Internet Explorer 7 that date back to 2006. IE7 lacks many security mechanisms against content injection attacks that exist in the browser's newer versions, Braun said.

The problem is that a page loaded in a frame by a site running in IE7 compatibility mode will also be rendered in IE7 compatibility mode. This means attackers can frame a site in a page running in IE7 compatibility mode to defeat the security protections the targeted site would normally offer to users of recent IE versions, according to Braun.

"If the evil website runs in IE7 compatibility mode, then so does yours!" Braun said. If your website would not allow itself to be framed by using X-Frame-Options, your IE users wouldn't be at risk, he said.

Another technique that involves the window.name attribute could be used to bypass certain restrictions and more easily execute XSS (cross-site scripting) attacks when a site is loaded into a frame, the Mozilla security engineer said.

Braun recently published with another researcher a paper on X-Frame-Options that covers many attacks the header can prevent in detail.

"These and many other attacks are possible if you allow your web page to be displayed in a frame," Braun said in the Mozilla blog post. "The fact that many other sites are vulnerable to these sort of attacks is not a good reason to leave your website unprotected. You can easily address many security problems by just adding this simple header to your web application right away."

The Mozilla developers site includes information on how to configure X-Frame-Options on the Apache and Nginx Web servers and Braun's blog post contains links to instructions on how to enable the header on Web frameworks like Django and NodeJS.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags application developmentWeb services developmentonline safetysecuritysoftwareWeb serversmozilla

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?