Bug 23907

Summary: Implement X-Frame-Options
Product: WebKit Reporter: Adam Barth <abarth>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: peaceable_whale, sam, spamfagos, steffen.weber
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Description Adam Barth 2009-02-11 17:30:12 PST 
We should implement X-Frame-Options to help sites defend against ClickJacking.  Here is a blog post describing the feature:

http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

I'm not sure this completely solves the ClickJacking problem, but it certainly does more good than harm.  I can ask Eric Lawrence for a more detailed design doc if we want to make sure we match IE's behavior.

Here is the Mozilla bug on this topic:

https://bugzilla.mozilla.org/show_bug.cgi?id=475530

dveditz seems similarly positively disposed to implementing this feature.
Comment 1 Adam Barth 2009-04-12 14:09:34 PDT 
This seems to be done in http://trac.webkit.org/changeset/42333
Comment 2 Sam Weinig 2009-04-12 14:26:08 PDT 
Indeed.  I didn't remember this bug when I implemented it.  My bad.
Comment 3 spamfagos 2011-08-02 00:58:17 PDT 
The current implementation of X-Frame-Options is not complete!
IE8+ also supports ALLOW-FROM origin:
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
Are there are plans to implement this in webkit?
Comment 4 Adam Barth 2011-08-02 02:36:35 PDT 
X-Frame-Options is currently working its way though the IETF.  I expect we'll implement whatever the final standard says, but it's not entirely clear what that will be at the moment.  Thanks for your interest.