Michael Coates just announced that X-Frame-Option will be finally available on Firefox starting with the next minor update, 3.6.9.

This is great news, because it puts vanilla Firefox on par with IE and Chrome regarding this server-side defense, which security-aware web authors (like the guys at Google, and possibly the AMO team now) can use, by modifying the way their pages are served, in order to protect their web sites against frame-based Clickjacking.

I said “vanilla”, because Firefox with NoScript has been supporting X-Frame-Options since the day after it had been announced with much fanfare by Microsoft, i.e. Jan the 29th 2009 (more than 1 year and half, now). Mostly as a point of pride, actually, than out of a true necessity, since the existent NoScript’s ClearClick module already provided a more complete and effective protection against all kinds of Clickjacking (either frame-based or plugin-based), independently from the good will and security awareness of server-side implementers.

It’s worth to mention that in many situations, like on web properties which provide some kinds of frame-based APIs, or support external apps and “widgets”, X-Frame-Options is hard or impossible to be configured properly, because it would break the business model of the site itself. Facebook is a glaring example of this kind of sites, vulnerable to Clickjacking, where X-Frame-Options would fall short. Needless to say, NoScript’s ClearClick does protect against Clickjacking everywhere, no matter if web site owners could not, or choose not, to implement X-Frame-Options (or just didn’t know about it!).

To be fair, there’s an upcoming Firefox 4 technology which can better help web developers protecting their web sites against this and other web application security issues, even in complex scenarios like Facebook’s: it is Content Security Policy (CSP). I’d really love it to get popular enough among security-aware developers, and possibly be standardized across browser implementations.

On the other hand, as long as you don’t trust every web site out there to always do the right thing security-wise, NoScript will be your friend :)

7 Responses to “X-Frame-Options (Finally) on (Vanilla) Firefox”

  1. #1 anon says:

    try converting this site into CSP

  2. #2 Giorgio says:

    @anon:
    I’ve got no need to do it — yet.
    If the point you want to make is that CSP is considerably more complex than X-Frame-Options, I agree, and this can actually hinder its adoption. But it’s obviously much more powerful, too.

  3. #3 Anonymous Coward says:

    NoScript is always one step two years ahead :-)

  4. #4 p0deje says:

    Do you plan to drop X-Frame-Options support in future?
    By the way, why there is no Origin HTTP header implementation in NoScript?

  5. #5 Giorgio says:

    @p0deje:
    I’ll drop X-Frame-Options support when I’ll drop support for Firefox 3.6.x, which won’t probably happen for one year at least.

    Regarding Origin, consensus on how it should work has formed only recently, and Firefox implementation is on its way, hence I’m not sure investing on it would be worth the effort.

  6. #6 KWierso says:

    Huh. Seems like NoScript’s preventing Firefox 4’s addon manager’s "Get Addons" section from displaying, due to x-frame-options set on services.addons.mozilla.org.

    Mozilla themselves had to work around this in bug 593387:
    https://bugzilla.mozilla.org/show_bug.cgi?id=593387

  7. #7 Giorgio says:

    @KWierso:
    Already “fixed” (more precisely, hacked away) in latest development build.

Bad Behavior has blocked 3607 access attempts in the last 7 days.