RESOLVED FIXED 23907
Implement X-Frame-Options
https://bugs.webkit.org/show_bug.cgi?id=23907
Summary Implement X-Frame-Options
Adam Barth
Reported 2009-02-11 17:30:12 PST
We should implement X-Frame-Options to help sites defend against ClickJacking. Here is a blog post describing the feature: http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx I'm not sure this completely solves the ClickJacking problem, but it certainly does more good than harm. I can ask Eric Lawrence for a more detailed design doc if we want to make sure we match IE's behavior. Here is the Mozilla bug on this topic: https://bugzilla.mozilla.org/show_bug.cgi?id=475530 dveditz seems similarly positively disposed to implementing this feature.
Attachments
Adam Barth
Comment 1 2009-04-12 14:09:34 PDT
Sam Weinig
Comment 2 2009-04-12 14:26:08 PDT
Indeed. I didn't remember this bug when I implemented it. My bad.
spamfagos
Comment 3 2011-08-02 00:58:17 PDT
The current implementation of X-Frame-Options is not complete! IE8+ also supports ALLOW-FROM origin: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx Are there are plans to implement this in webkit?
Adam Barth
Comment 4 2011-08-02 02:36:35 PDT
X-Frame-Options is currently working its way though the IETF. I expect we'll implement whatever the final standard says, but it's not entirely clear what that will be at the moment. Thanks for your interest.
Note You need to log in before you can comment on or make changes to this bug.