Is there any way to bypass the x-frame-options header without using a MitM or changing the packets in another way?
So actually getting a site that has x-frame-options: DENY to be shown in an iframe.
Asked
Active
Viewed 1.7k times
2 Answers
7
There is one caveat when using X-Frame-Options header: it only checks the top level frame. This means that if you have nested frames, i.e. frames within frames, it is still possible for another origin to include a site with a X-Frame-Options: SAMEORIGIN header.
In this regard the header Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors.
Sjoerd
- 28,707
- 12
- 74
- 102
-
Thanks for the answer, it is very clear. Just one question to clarify something: This only works in the same domain right? So from a different domain it would still be impossible to load the site in an iframe? – Wealot Mar 23 '17 at 07:08
-
@Arminius You are right. I was confusing DENY and SAMEORIGIN. The scenario I described is possible with SAMEORIGIN, not with DENY. – Sjoerd Mar 31 '17 at 12:24
1
So actually getting a site that has x-frame-options: DENY to be shown in an iframe.
It's not possible to embed a site sending an X-Frame-Options: DENY header in any frame.
From RFC 7034:
DENY
A browser receiving content with this header field MUST NOT
display this content in any frame.
However, it might in some instances be possible to bypass the SAMEORIGIN directive as some browsers only check the top-level origin and not the direct frame parent:
SAMEORIGIN
A browser receiving content with this header field MUST NOT
display this content in any frame from a page of different origin
than the content itself. [...]
Please note that current implementations vary on the
interpretation of this criteria. In some, it only allows a page
to be framed if the origin of the top-level browsing context is
identical to the origin of the content using the X-Frame-Options
directive; in others, it may consider the origin of the framing
page instead.
(Emphasis my own.)
