IE8's "Clickjacking Protection" Exposed
Posted by: Giorgio in Clickjacking, IE, Mozilla, Security, NoScriptYesterday I published a blind analysis of the so called "Clickjacking protection" included in IE8 RC1. "Blind" because, hype aside, there was no technical documentation available, even if the feature was targeted to web developers who -- in order to protect their users -- should modify the way their pages are served.
After a while, Microsoft's David Ross sent me an email confirming that my wild guesses about IE8's approach, its scope and its limitations were indeed correct. The only information obviously missing from my "prophetic" description was the real name of the "X-I-Do-Not-Want-To-Be-Framed-Across-Domains" HTTP header to be sent before the sensible pages, and today this little mystery has been finally unveiled by Eric Lawrence on the IE Blog:
Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a subframe, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin.
As I had anticipated, IE8's "clickjacking protection" is just an alternate scriptless way to perform frame busting, a well known and simple technique to prevent a page from being "framed" in another page and therefore becoming an easy UI Redressing target. Microsoft had to follow its own special path because the traditional JavaScript implementation can be easily circumvented on IE, e.g. by loading the targeted page inside an <IFRAME SECURITY=restricted> element. But the other major browsers are equally "protected" (if we can call "browser protection" something relying on the good will and education of web authors) by "standard" frame busting. Therefore, slogans like "the first browser to counter this type of threat" (James Pratt, Microsoft senior product manager) were marketspeak at its best. Furthermore, this approach is useless against Clickjacking in its original "historical" meaning, i.e. those attacks involving Flash applets and other kinds of plugin embeddings which led Robert "RSnake" Hansen and Jeremiah Grossman to invent the successful buzzword.
However in my post I had also written that having such a scriptless alternative as a cross-browser option would be nice:
I do believe that a declarative approach to control subdocument requests is an excellent idea: otherwise I wouldn't have included the SUB pseudo-method in ABE Rules Specification (pdf). Moreover, as soon as I've got some less blurry info (David Ross, I know you're listening, why don't you drop me a line?), I'll be happy to immediately implement a compatible feature in NoScript and lobby Mozilla for inclusion in Firefox 3.1.
David kindly answered
I think this would be fantastic and it’s a great place to start building some bridges.
I agree, in facts I've filed an enhancement request for Firefox, and I'm already working to release a NoScript development build featuring X-FRAME-OPTIONS support: that's relatively easy, since I can hook in the work I'm already doing for the ABE module. (Update 2009-29-01: I just released NoScript 1.8.9.9 development build, featuring full experimental X-FRAME-OPTIONS compatibility support).
It's worth noticing, though, that this is just a cross-browser compatibility effort: neither Firefox nor NoScript really need this feature. Traditional JavaScript-based frame busting works fine in Firefox, giving it the same degree of (modest) "protection" as IE8. NoScript users, on the other hand, are already fully protected, because ClearClick is the one and only countermeasure which works against any type of Clickjacking (frame or embed based), no matter if web sites cooperate or not.
Speaking of NoScript, I've got a small but important correction to the otherwise excellent article Robert McMillan wrote for PC World (IDG News) yesterday:
Because clickjacking requires scripting, the attack doesn't work when NoScript is enabled.
This statement is wrong twice:
- Clickjacking does not require scripting: JavaScript might make the attacker's life easier, but it's not indispensable to throw an attack.
- NoScript does not need scripting to be disabled in order to protect its users against Clickjacking: its exclusive ClearClick anti-Clickjacking technology works independently from script blocking.
That's why NoScript can be recommended to anyone, even to grandma who's not inclined to block JavaScript: albeit I do not encourage using NoScript's "Allow Scripts Globally" command because the default deny policy is your best first-line defense, many additional protection features such as Anti-XSS filters and ClearClick still remain active even when JavaScript is enabled, providing the safest web experience available in any browser.
January 28th, 2009 at 5:34 pm
[...] Scripts vs Google Analytics IE8’s “Clickjacking Protection” Exposed 27 01 [...]
January 29th, 2009 at 12:23 pm
http://www.secniche.org/gcr_clkj/
Environment:
- latest Fx 3.0.5 with new profile
- current NoScript dev build with default settings
With secniche.org disallowed a click on the link sends the browser to yahoo, no clickjack-warning appears. With secniche.org allowed a click on the link sends the browser to xssed.com!
January 29th, 2009 at 12:34 pm
@decent user:
That guy is an idiot: either he cannot understand Clickjacking, or he's purposely using the buzzword to get some cheap publicity.
His "PoC" is just an laughably over-elaborated version of a simple:
Try it: Yahoo
That's not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a "surprise" destination, but nothing more since it can't do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing.
January 29th, 2009 at 1:01 pm
Thanks for the ultra fast clarification!
> either he cannot understand Clickjacking, or he’s purposely using the buzzword to get some cheap publicity.
Both I think, referring to your explanation.
Best wishes! And thanks for the great work with NoScript!
January 29th, 2009 at 5:16 pm
@Giorgio
Heise Security bought the secniche.org story and claims that "NoScript obviously does not appear to recognize all variants of Clickjacking." Just FYI.
January 29th, 2009 at 5:25 pm
@Hans Nordhaugh:
Thanks, I already commented on the UK edition of that article.
Precisely at this moment I was "laughing" with OWASP's Arshan Dabirsiaghi of how many clowns talking "Clickjacking" and nobody (including Heise) grasping even the basic concept...
January 30th, 2009 at 2:12 am
[...] IE8’s “Clickjacking Protection” Exposed [...]
January 31st, 2009 at 11:06 pm
[...] to IE8’s touted Clickjacking protection which will work on pages whose authors adopt the new proprietary X-FRAME-OPTIONS header (now [...]
February 1st, 2009 at 12:41 pm
[...] that tells Internet Explorer the page is not supposed to be included in a frame. It’s called X-FRAME-OPTIONS; a value of DENY means the page should never be opened in a frame, and SAMEORIGIN only allows it to [...]
February 11th, 2009 at 1:02 am
[...] which relies on web authors to include a Microsoft-proprietary HTTP header. RSnake responds, as does Giorgio Maone (who, by the way, has already integrated Microsoft's proprietary header into his NoScript extension [...]
February 27th, 2009 at 12:45 am
If NoScript, or its functionality is included in mainline Firefox, is that going to interfere with new development? NoScript has a pretty quick release cycle compared with the main browser. I'd hate to see that go away.
November 27th, 2009 at 2:28 am
It's not so easy to make a nice essays written, preferably if you are concerned. I recommend you to define buy essay and to be void from disbelief that your work will be done by paper writing service