Mozilla advises webmasters to implement X-Frame-Options security header

The header can easily solve many security problems, a Mozilla security engineer said

By Lucian Constantin, IDG News Service |  Cloud Computing

In light of overall low adoption of HTTP security headers, Mozilla is advising webmasters to at least implement X-Frame-Options on their sites, arguing that this header can prevent several types of attacks.

The X-Frame-Options is an HTTP response header that allows webmasters to define if and how their websites can be loaded into frame elements on other sites. It comes with three options: ALLOW, DENY and SAMEORIGIN, the latter meaning a page can only be framed by other pages with the same origin -- same domain, URI scheme and port. There's a fourth option called ALLOW-FROM, but it's not supported by all browsers.

If a site X tries to load a page from a site Y into a frame and site Y includes X-Frame-Options DENY in its responses, a modern browser visiting site X will not load the framed page.

This header was primarily created as a security mechanism against clickjacking attacks, which can be used to trick users into performing actions on websites without their knowledge.

A common clickjacking technique is to load a button from a targeted site into an iframe on an attack site and then use legitimate Web development techniques to make the framed content transparent. The framed button can be positioned over a clickable element from the attack site, so that when a site's visitor attempts to click on the visible element, they actually click on the now invisible button from the targeted website that was positioned on top.

A few years ago this type of attack was common on Facebook, attackers using it to trick users into unknowingly sharing spam messages from their accounts. However, the possibilities for clickjacking-based abuse are varied and depend on the nature of the targeted site.

Despite X-Frame-Options being relatively easy to implement, a scan of the Internet's top 1 million most trafficked websites by security firm Veracode in November, revealed thatonly around 30,000 sites were using the header and a few hundred of those were actually using it incorrectly.

Clickjacking is not the only type of attack that X-Frame-Options can prevent, Frederik Braun, a security engineer at Mozilla, said Thursday in a blog post.

For example, Internet Explorer allows websites to specify that they want to run in IE7 compatibility mode, meaning they will be rendered with algorithms from Internet Explorer 7 that date back to 2006. IE7 lacks many security mechanisms against content injection attacks that exist in the browser's newer versions, Braun said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness