Updated: January 29th, 2010

image Today I found out something entirely new about framebusting and specifically clickjacking protection techniques.

I was working with a site that was using frames. Suddenly, one of the frames (which was hosted on a domain that differed from the one it was embedded in) displayed the following message (in Firefox 3.5.4):

This content cannot be displayed in a frame
 
To protect your security, the publisher of this content does
not allow it to be displayed in a frame.
 
Click here to open this content in a new window

image

Notice how this is a native Firefox window and not a web page rendering. Quite stumped, I started looking at the frame response and finally found that it included this little header:

X-FRAME-OPTIONS: DENY

Turns out that modern browsers like Firefox 3.5 (turns out it's the NoScript addon that does this and not Firefox itself) and IE8 treat this header as a precautionary measure and display a generic "warning" to the user instead of the page content in certain conditions described below. This effort, led, surprisingly, by Microsoft, was really to protect users from clickjacking (I wrote about clickjacking here earlier) but can be viewed as an alternative to framebusting.

Microsoft introduced the new X-FRAME-OPTIONS header with the following possible values:

  • DENY – prevents the page from being rendered if it is contained in a frame
  • SAMEORIGIN – same as above, unless the page belongs to the same domain as the top-level frameset holder.

Firefox adopted this technique a few months later (again, I was wrong here – it was NoScript that did it), and I expect other browsers to follow.

So what does it mean to you, the developer?

  • setting such a header will essentially render frame busting code unnecessary in modern browsers
  • but it has a downside of displaying a relatively ugly warning to the user
  • no automatic redirect is done as your page (including any framebusting code) is not loaded
  • thus requiring an extra click
  • and popping up a new tab or window
  • it will work even if the user has Javascript disabled, which is more secure

Some useful discussion on the issue can also be found in this post on Hackademix.net.

So is it good practice to use this new X-FRAME-OPTIONS header instead of the traditional framebusting code? I definitely think so, especially if Firefox and other browsers start supporting it. What do you say?

● ● ●

Artem Russakovskii is a San Francisco programmer, blogger, and future millionaire (that last part is in the works). Follow Artem on Twitter (@ArtemR) or subscribe to the RSS feed.

In the meantime, if you found this article useful, feel free to buy me a cup of coffee below.



Share
  • Ergomane

    AFAIK token is SAMEORIGIN, no dash.

    • http://beerpla.net Artem Russakovskii

      Thank you. Indeed, you're right. Corrected.

  • Roland

    Seems to me like an option that will probably be used more for things it wasn't intended for than the things it was intended for.

    I use noScript to block pages from doing all kinds of things I do not want, but here is accomplishes the opposite: it prevents me from looking a a page the way I want to.
    The usability of sites like google image search will be limited more and more if sites start adding this header. I fear the moment wordpress, joomla, drupal, etc. make this header a default. It will basically make frames useless.

    And unfortunately this 'protection' only protects the sites that want to be protected, so it is very limited until it becomes the default way of working.

    It should have been a browser setting, not a page header.

    Pages that do not let themselves be molded to the wishes of the user, are annoying. That's why we all hate pop-ups, right-click protection, etc. And framebusting.

    I know many web publishers find that their webpage should be viewed full screen, but that is not allways what I, the reader, the person they make their site for, want.

    I fear that X-FRAME_OPTIONS will become the next weapon for publishers to enforce their wishes upon their readers, so I've come to the conclusion that it is an annoyance, rather than a good thing.

  • Diana

    Yes, but how do we rid our PC of this message when it pops up?

    This content cannot be displayed in a frame

    To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.

  • Martin

    There are many legitimate uses for using frames to connect sites of different origins. I feel this development damages an important tool. Any genuine security risks could be dealt with much more gracefully, rather than simply breaking a feature.

    If kids are typing bad words into a computer you don't fix the problem by taking away the keyboard.

  • simon

    This is pathetic!

    Looks like DOTSTER and MYDOMAIN have implement this directive in some of their default frame redirection pages, now I can't see half my sites because of this flaw. I can't "accept" the message and proceed to view the site, treating me like a child. Pathetic idea and very, very badly implemented by big brother.

  • El Yobo

    This is extremely useful for preventing fishing attacks, e.g. where a scammer wraps an entire site in an iframe and displays their own popup over the top of it.

    While I can see the downsides in some cases, as a security measure it's essential now that iframe sandboxes can prevent frame busting through javascript.