Archive for August 31st, 2010

Michael Coates just announced that X-Frame-Option will be finally available on Firefox starting with the next minor update, 3.6.9.

This is great news, because it puts vanilla Firefox on par with IE and Chrome regarding this server-side defense, which security-aware web authors (like the guys at Google, and possibly the AMO team now) can use, by modifying the way their pages are served, in order to protect their web sites against frame-based Clickjacking.

I said "vanilla", because Firefox with NoScript has been supporting X-Frame-Options since the day after it had been announced with much fanfare by Microsoft, i.e. Jan the 29th 2009 (more than 1 year and half, now). Mostly as a point of pride, actually, than out of a true necessity, since the existent NoScript's ClearClick module already provided a more complete and effective protection against all kinds of Clickjacking (either frame-based or plugin-based), independently from the good will and security awareness of server-side implementers.

It's worth to mention that in many situations, like on web properties which provide some kinds of frame-based APIs, or support external apps and "widgets", X-Frame-Options is hard or impossible to be configured properly, because it would break the business model of the site itself. Facebook is a glaring example of this kind of sites, vulnerable to Clickjacking, where X-Frame-Options would fall short. Needless to say, NoScript's ClearClick does protect against Clickjacking everywhere, no matter if web site owners could not, or choose not, to implement X-Frame-Options (or just didn't know about it!).

To be fair, there's an upcoming Firefox 4 technology which can better help web developers protecting their web sites against this and other web application security issues, even in complex scenarios like Facebook's: it is Content Security Policy (CSP). I'd really love it to get popular enough among security-aware developers, and possibly be standardized across browser implementations.

On the other hand, as long as you don't trust every web site out there to always do the right thing security-wise, NoScript will be your friend :)

Bad Behavior has blocked 716 access attempts in the last 7 days.