4

Is there any way to bypass the x-frame-options header without using a MitM or changing the packets in another way?

So actually getting a site that has x-frame-options: DENY to be shown in an iframe.

Wealot
  • 879
  • 2
  • 12
  • 25

2 Answers2

7

There is one caveat when using X-Frame-Options header: it only checks the top level frame. This means that if you have nested frames, i.e. frames within frames, it is still possible for another origin to include a site with a X-Frame-Options: SAMEORIGIN header.

In this regard the header Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors.

frame within frame

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • Thanks for the answer, it is very clear. Just one question to clarify something: This only works in the same domain right? So from a different domain it would still be impossible to load the site in an iframe? – Wealot Mar 23 '17 at 07:08
  • @Arminius You are right. I was confusing DENY and SAMEORIGIN. The scenario I described is possible with SAMEORIGIN, not with DENY. – Sjoerd Mar 31 '17 at 12:24
1

So actually getting a site that has x-frame-options: DENY to be shown in an iframe.

It's not possible to embed a site sending an X-Frame-Options: DENY header in any frame.

From RFC 7034:

   DENY
      A browser receiving content with this header field MUST NOT
      display this content in any frame.

However, it might in some instances be possible to bypass the SAMEORIGIN directive as some browsers only check the top-level origin and not the direct frame parent:

   SAMEORIGIN
      A browser receiving content with this header field MUST NOT
      display this content in any frame from a page of different origin
      than the content itself. [...]

      Please note that current implementations vary on the
      interpretation of this criteria.  In some, it only allows a page
      to be framed if the origin of the top-level browsing context is
      identical to the origin of the content using the X-Frame-Options
      directive; in others, it may consider the origin of the framing
      page instead.

(Emphasis my own.)

Arminius
  • 43,922
  • 13
  • 140
  • 136