23907 2009-02-11 17:30:12 -0800 Implement X-Frame-Options 2011-08-02 02:36:35 -0700 1 1 1 Unclassified WebKit Frames 528+ (Nightly build) All All RESOLVED FIXED http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx P2 Normal --- 1 abarth webkit-unassigned peaceable_whale sam spamfagos steffen.weber oldest_to_newest 109400 0 abarth 2009-02-11 17:30:12 -0800 We should implement X-Frame-Options to help sites defend against ClickJacking. Here is a blog post describing the feature: http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx I'm not sure this completely solves the ClickJacking problem, but it certainly does more good than harm. I can ask Eric Lawrence for a more detailed design doc if we want to make sure we match IE's behavior. Here is the Mozilla bug on this topic: https://bugzilla.mozilla.org/show_bug.cgi?id=475530 dveditz seems similarly positively disposed to implementing this feature. 117267 1 abarth 2009-04-12 14:09:34 -0700 This seems to be done in http://trac.webkit.org/changeset/42333 117269 2 sam 2009-04-12 14:26:08 -0700 Indeed. I didn't remember this bug when I implemented it. My bad. 445138 3 spamfagos 2011-08-02 00:58:17 -0700 The current implementation of X-Frame-Options is not complete! IE8+ also supports ALLOW-FROM origin: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx Are there are plans to implement this in webkit? 445169 4 abarth 2011-08-02 02:36:35 -0700 X-Frame-Options is currently working its way though the IETF. I expect we'll implement whatever the final standard says, but it's not entirely clear what that will be at the moment. Thanks for your interest.