WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
23907
Implement X-Frame-Options
https://bugs.webkit.org/show_bug.cgi?id=23907
Summary
Implement X-Frame-Options
Adam Barth
Reported
2009-02-11 17:30:12 PST
We should implement X-Frame-Options to help sites defend against ClickJacking. Here is a blog post describing the feature:
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
I'm not sure this completely solves the ClickJacking problem, but it certainly does more good than harm. I can ask Eric Lawrence for a more detailed design doc if we want to make sure we match IE's behavior. Here is the Mozilla bug on this topic:
https://bugzilla.mozilla.org/show_bug.cgi?id=475530
dveditz seems similarly positively disposed to implementing this feature.
Attachments
Add attachment
proposed patch, testcase, etc.
Adam Barth
Comment 1
2009-04-12 14:09:34 PDT
This seems to be done in
http://trac.webkit.org/changeset/42333
Sam Weinig
Comment 2
2009-04-12 14:26:08 PDT
Indeed. I didn't remember this bug when I implemented it. My bad.
spamfagos
Comment 3
2011-08-02 00:58:17 PDT
The current implementation of X-Frame-Options is not complete! IE8+ also supports ALLOW-FROM origin:
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
Are there are plans to implement this in webkit?
Adam Barth
Comment 4
2011-08-02 02:36:35 PDT
X-Frame-Options is currently working its way though the IETF. I expect we'll implement whatever the final standard says, but it's not entirely clear what that will be at the moment. Thanks for your interest.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug