Bug 23907
| Summary: | Implement X-Frame-Options | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Barth <abarth> |
| Component: | Frames | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | peaceable_whale, sam, spamfagos, steffen.weber |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx | ||
Adam Barth
We should implement X-Frame-Options to help sites defend against ClickJacking. Here is a blog post describing the feature:
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
I'm not sure this completely solves the ClickJacking problem, but it certainly does more good than harm. I can ask Eric Lawrence for a more detailed design doc if we want to make sure we match IE's behavior.
Here is the Mozilla bug on this topic:
https://bugzilla.mozilla.org/show_bug.cgi?id=475530
dveditz seems similarly positively disposed to implementing this feature.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Barth
This seems to be done in http://trac.webkit.org/changeset/42333
Sam Weinig
Indeed. I didn't remember this bug when I implemented it. My bad.
spamfagos
The current implementation of X-Frame-Options is not complete!
IE8+ also supports ALLOW-FROM origin:
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
Are there are plans to implement this in webkit?
Adam Barth
X-Frame-Options is currently working its way though the IETF. I expect we'll implement whatever the final standard says, but it's not entirely clear what that will be at the moment. Thanks for your interest.