Yesterday I published a blind analysis of the so called “Clickjacking protection” included in IE8 RC1. “Blind” because, hype aside, there was no technical documentation available, even if the feature was targeted to web developers who — in order to protect their users — should modify the way their pages are served.

After a while, Microsoft’s David Ross sent me an email confirming that my wild guesses about IE8’s approach, its scope and its limitations were indeed correct. The only information obviously missing from my “prophetic” description was the real name of the “X-I-Do-Not-Want-To-Be-Framed-Across-Domains” HTTP header to be sent before the sensible pages, and today this little mystery has been finally unveiled by Eric Lawrence on the IE Blog:

Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a subframe, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin.

As I had anticipated, IE8’s “clickjacking protection” is just an alternate scriptless way to perform frame busting, a well known and simple technique to prevent a page from being “framed” in another page and therefore becoming an easy UI Redressing target. Microsoft had to follow its own special path because the traditional JavaScript implementation can be easily circumvented on IE, e.g. by loading the targeted page inside an <IFRAME SECURITY=restricted> element. But the other major browsers are equally “protected” (if we can call “browser protection” something relying on the good will and education of web authors) by “standard” frame busting. Therefore, slogans like “the first browser to counter this type of threat” (James Pratt, Microsoft senior product manager) were marketspeak at its best. Furthermore, this approach is useless against Clickjacking in its original “historical” meaning, i.e. those attacks involving Flash applets and other kinds of plugin embeddings which led Robert “RSnake” Hansen and Jeremiah Grossman to invent the successful buzzword.

However in my post I had also written that having such a scriptless alternative as a cross-browser option would be nice:

I do believe that a declarative approach to control subdocument requests is an excellent idea: otherwise I wouldn’t have included the SUB pseudo-method in ABE Rules Specification (pdf). Moreover, as soon as I’ve got some less blurry info (David Ross, I know you’re listening, why don’t you drop me a line?), I’ll be happy to immediately implement a compatible feature in NoScript and lobby Mozilla for inclusion in Firefox 3.1.

David kindly answered

I think this would be fantastic and it’s a great place to start building some bridges.

I agree, in facts I’ve filed an enhancement request for Firefox, and I’m already working to release a NoScript development build featuring X-FRAME-OPTIONS support: that’s relatively easy, since I can hook in the work I’m already doing for the ABE module. (Update 2009-29-01: I just released NoScript 1.8.9.9 development build, featuring full experimental X-FRAME-OPTIONS compatibility support).
It’s worth noticing, though, that this is just a cross-browser compatibility effort: neither Firefox nor NoScript really need this feature. Traditional JavaScript-based frame busting works fine in Firefox, giving it the same degree of (modest) “protection” as IE8. NoScript users, on the other hand, are already fully protected, because ClearClick is the one and only countermeasure which works against any type of Clickjacking (frame or embed based), no matter if web sites cooperate or not.

Speaking of NoScript, I’ve got a small but important correction to the otherwise excellent article Robert McMillan wrote for PC World (IDG News) yesterday:

Because clickjacking requires scripting, the attack doesn’t work when NoScript is enabled.

This statement is wrong twice:

  1. Clickjacking does not require scripting: JavaScript might make the attacker’s life easier, but it’s not indispensable to throw an attack.
  2. NoScript does not need scripting to be disabled in order to protect its users against Clickjacking: its exclusive ClearClick anti-Clickjacking technology works independently from script blocking.

That’s why NoScript can be recommended to anyone, even to grandma who’s not inclined to block JavaScript: albeit I do not encourage using NoScript’s “Allow Scripts Globally” command because the default deny policy is your best first-line defense, many additional protection features such as Anti-XSS filters and ClearClick still remain active even when JavaScript is enabled, providing the safest web experience available in any browser.

12 Responses to “IE8’s “Clickjacking Protection” Exposed”

  1. #1 hackademix.net » Ehy IE8, I Can Has Some Clickjacking Protection? says:

    […] Scripts vs Google Analytics IE8’s “Clickjacking Protection” Exposed 27 01 […]

  2. #2 decent user says:

    http://www.secniche.org/gcr_clkj/

    Environment:
    - latest Fx 3.0.5 with new profile
    - current NoScript dev build with default settings

    With secniche.org disallowed a click on the link sends the browser to yahoo, no clickjack-warning appears. With secniche.org allowed a click on the link sends the browser to xssed.com!

  3. #3 Giorgio says:

    @decent user:

    That guy is an idiot: either he cannot understand Clickjacking, or he’s purposely using the buzzword to get some cheap publicity.
    His “PoC” is just an laughably over-elaborated version of a simple:

    <a href=”http://yahoo.com” onclick="location=’http://xssed.com’;return false">Yahoo</a>

    Try it: Yahoo

    That’s not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a “surprise” destination, but nothing more since it can’t do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing.

  4. #4 decent user says:

    Thanks for the ultra fast clarification!

    > either he cannot understand Clickjacking, or he’s purposely using the buzzword to get some cheap publicity.

    Both I think, referring to your explanation.

    Best wishes! And thanks for the great work with NoScript!

  5. #5 Hans Nordhaug says:

    @Giorgio

    Heise Security bought the secniche.org story and claims that "NoScript obviously does not appear to recognize all variants of Clickjacking." Just FYI.

  6. #6 Giorgio says:

    @Hans Nordhaugh:
    Thanks, I already commented on the UK edition of that article.

    Precisely at this moment I was “laughing” with OWASP’s Arshan Dabirsiaghi of how many clowns talking “Clickjacking” and nobody (including Heise) grasping even the basic concept…

  7. #7 hackademix.net » says:

    […] IE8’s “Clickjacking Protection” Exposed […]

  8. #8 hackademix.net » All That ClickJazz... says:

    […] to IE8’s touted Clickjacking protection which will work on pages whose authors adopt the new proprietary X-FRAME-OPTIONS header (now […]

  9. #9 IE8 clickjacking / ui redressing prevention via X-FRAME-OPTIONSIts | Security and the Net says:

    […] that tells Internet Explorer the page is not supposed to be included in a frame. It’s called X-FRAME-OPTIONS; a value of DENY means the page should never be opened in a frame, and SAMEORIGIN only allows it to […]

  10. #10 The WHATWG Blog » Blog Archive » This Week in HTML 5 - Episode 21 says:

    […] which relies on web authors to include a Microsoft-proprietary HTTP header. RSnake responds, as does Giorgio Maone (who, by the way, has already integrated Microsoft’s proprietary header into his NoScript extension […]

  11. #11 Terrel Shumway says:

    If NoScript, or its functionality is included in mainline Firefox, is that going to interfere with new development? NoScript has a pretty quick release cycle compared with the main browser. I’d hate to see that go away.

  12. #12 Konnie30 says:

    It’s not so easy to make a nice essays written, preferably if you are concerned. I recommend you to define buy essay and to be void from disbelief that your work will be done by paper writing service

Bad Behavior has blocked 35860 access attempts in the last 7 days.