Comments on: X-FRAME-OPTIONS in Firefox

By: Mike

Mike — Wed, 27 Jan 2010 00:31:02 +0000

I’ve implemented X-Frame-Options on my website using some simple Apache config. See https://secure.grepular.com/ClickJacking_and_SSL_Protection_in_Apache for information on how to do it.

By: hackademix.net » Google Talk Badges vs X-Frame-Options

hackademix.net » Google Talk Badges vs X-Frame-Options — Wed, 02 Dec 2009 20:14:47 +0000

[…] frame) — or a blank one if you’re on Chrome — because Google is sending down a X-Frame-Option HTTP header with value SAMEORIGIN, allowing only pages served from www.google.com to embed this […]

By: Modern-Day Frame Busting With X-FRAME-OPTIONS And "This content cannot be displayed in a frame" Warnings

Fri, 30 Oct 2009 01:25:37 +0000

[…] useful discussion on the issue can also be found in this post on […]

By: Open Source Firefox Extension NoScript Updated | Infosecurity.US

Open Source Firefox Extension NoScript Updated | Infosecurity.US — Fri, 13 Mar 2009 16:10:24 +0000

[…] incident reporting tool. Improved script blocking and scriptless pages management. Improved X-FRAME-OPTIONS compatibility support. New exclusive protection against JSON and E4X hijacking. Anti-XSS filters performance […]

By: hackademix.net » Browser Plugins, Add-Ons and Security Advisers

hackademix.net » Browser Plugins, Add-Ons and Security Advisers — Sat, 07 Feb 2009 17:02:41 +0000

[…] send Roger an email, sparking a pretty intense exchange (in the meanwhile, I was implementing PoC X-Frame-Options compatibility for Firefox with my left […]

By: Giorgio

Giorgio — Mon, 02 Feb 2009 00:27:51 +0000

@MacOtaku:
“Traditional” frame busting emulation is controlled by the noscript.emulateFrameBreak about:config preference.
I can add a similar preference for X-FRAME-OPTIONS in next release (it was already planned, anyway).

By: MacOtaku

MacOtaku — Sun, 01 Feb 2009 23:50:34 +0000

I know it’s a small issue, but this feature should allow the user to override it, so it isn’t misused. Unfortunately, unlike JS frame busting, there is presently no practical means for the user to override this feature when it is abused by web publishers. For example, if a page doesn’t want to be framed, not for security, but as part of yet another obnoxious, paranoid, and ineffective "copy-protection" scheme (like those "clever" scripts that set onselectstart, etc to function(){return false}), and I land on said page framed as a Google image search result, I can stop it from frame-busting by denying its JS. (Actually, can I — or does NoScript prevent me from stopping it by emulating frame-busting without consulting the user?) Now, if the HTTP header is honoured without giving the user a means to override it, how then do I prevent the page messing up a legitimate framing (such as an images.google result, or a Facebook posted item)?

By: Giorgio

Giorgio — Sun, 01 Feb 2009 19:13:06 +0000

@Joris:
Fixed in 1.9.0.2, thanks.
Notice that you won’t get an error message for OBJECT elements, but the request gets blocked anyway.

By: Joris van der Wel

Joris van der Wel — Sun, 01 Feb 2009 12:16:43 +0000

Just did some tests and it appears that "X-IFRAME-OPTIONS" does not work with .

Also, I have noticed that sometimes the link "Click here to open this content in a new window" will open the chrome url of the error message instead of the page. Unfortunately I am not sure how to properly recreate this.

Also, awesome extension

Gr. Joris

By: hackademix.net » All That ClickJazz...

hackademix.net » All That ClickJazz... — Sat, 31 Jan 2009 21:07:54 +0000

[…] protection which will work on those pages whose authors decide to adopt the new proprietary X-FRAME-OPTIONS header (now cross-browser), interest of the press about this topic has been raising again. Unluckily, Clickjacking (or more […]