5

X-Frame-Options header will prevent your site from being iFramed by other domains. On browsers that accept the ALLOW-FROM directive you are limited to specifying only a single origin. You could use a CSP 2.0 frame-ancestors directive for modern UA's.

That being said, it's possible to dynamically render a response header based on the request referer and decide what type of X-Frame-Options header to set in the response.

For example, you could by default serve X-Frame-Options: deny and then at the Controller level render a deny or simply not send any X-Frame-Options header to allow that request to be iFramed.

Pseudo code:

referer_host = request.referer
if allowed_origins.includes(referer_host)
  response.headers['X-Frame-Options'] = '' # Remove header from response
else
  response.headers['X-Frame-Options'] = 'deny'
end

Can this security mechanism be defeated? Is it possible for an attacker controlled domain to forge the referer value that the UA will send through some javascript hackery?

Anders
  • 64,406
  • 24
  • 178
  • 215
Alex Urcioli
  • 382
  • 2
  • 10
  • Have you thought about using the Origin header? That could be another layer of checks. But all of these are likely vulnerable to some sort of tricks. I suggest instead to use https://jacob.hoffman-andrews.com/README/emulate-x-frame-options-allow-from-using-postmessage/ for a much more secure technique. – devd Jun 04 '16 at 23:45

2 Answers2

5

As far as I know it is impossible to insert a completely fake Referer header within a normal browsing session. But there are various ways to make sure that no Referer header is sent at all. Thus as long as you only allow to be framed if the Referer header is set and that the domain in the Referer is explicitly allowed to frame your site you should be safe.

But note that you should make sure that your check does not blindly throws some regex at Referer to check for good-site because this way also something like http://bad-site/good-site/ or http://good-site.bad-site/ would be allowed to frame you. You would not be the first to make such mistake.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • That's what I thought. And yeah I'm not using some crazy Regex to validate. Simply pulling the host out of the header and checking if that host exists in a list of allowed hosts. And yeah also blocking if no referer is sent with the request. Thanks for your answer. – Alex Urcioli Apr 06 '16 at 14:56
0

If you have a Form in an IFrame, it will lead to an error on POST because Referer is no longer the url of parent html page.

gassan
  • 1