We have set the set X-Frame-Options in the header as ALLOW-FROM same origin but there is a requirement to open below page from some 3rd party website. Do you see security issue here?
HTTP::header replace X-Frame-Options "SAMEORIGIN"
Asked
Active
Viewed 1,964 times
1
2 Answers
1
From: The X-Frame-Options response header:
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
You know this already, but I mention it to let you know that there has been, AFAIK, any vulnerability around this. By doing that, you rather added a layer of security to your web application by preventing clickjacking but this may not be enough: X-Frame-Options is worth less than you think.
1
There is an ALLOW-FROM directive to allow whitelisting of domains, however it is only supported by certain browsers.
Removing X-FRAME-OPTIONS (or the new CSP equivalent frame-ancestors) could possibly make your site vulnerable to clickjacking or other attacks such as Cross Site History Manipulation.
Clickjacking is only really a risk if there's something to click. If your site has other input that the user needs to complete before any click would be registered, then the vulnerability would not be exploitable. This, however, is hard to determine without reviewing all site functionality. And then any further updates to your site may mean this becomes exploitable without you knowing. Often it is safer to disable framing unless there is definitely a business requirement for it.
SilverlightFox
- 33,408
- 6
- 67
- 178
-
This is really a great answer and is an accurate one. There is a `ALLOW-FROM` directive, i recently went-by certain documentation to know about this one. We cannot disable the framing rules certainly because it's business use case where one has to have the frame from a particular domain (my original post mentions this!). – Shritam Bhowmick Aug 28 '15 at 19:29