X-Frame-Options
The X-Frame-Options
HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>
, <iframe>
, <embed>
or <object>
. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options
.
Note: The Content-Security-Policy
HTTP header has a frame-ancestors
directive which obsoletes this header for supporting browsers.
Syntax
There are two possible directives for X-Frame-Options
:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
Directives
If you specify DENY
, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN
, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
DENY
- The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
- The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (see bug 725490). Also see Browser compatibility for support details.
ALLOW-FROM uri
- This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as
SAMEORIGIN
did — it doesn't check the frame ancestors to see if they are in the same origin. TheContent-Security-Policy
HTTP header has aframe-ancestors
directive which you can use instead.
Configuring IIS
To configure IIS to send the X-Frame-Options
header, add this to your site's Web.config
file:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
Or see this Microsoft support article on setting this configuration using the IIS Manager user interface.
(一)安全防护:X-Frame-Options(点击劫持)
漏洞描述:
点击劫持(ClickJacking)是一种视觉上的欺骗手段。攻击者使用一个透明的iframe,覆盖在一个网页上,然后诱使用户在网页上进行操作,此时用户将在不知情的情况下点击透明的iframe页面。通过调整iframe页面的位置,可以诱使用户恰好点击在iframe页面的一些功能性按钮上。
HTTP响应头信息中的X-Frame-Options,可以指示浏览器是否应该加载一个iframe中的页面。如果服务器响应头信息中没有X-Frame-Options,则该网站存在ClickJacking攻击风险。网站可以通过设置X-Frame-Options阻止站点内的页面被其他页面嵌入从而防止点击劫持。
解决方案:
修改web服务器配置,添加X-Frame-Options响应头。赋值有如下三种:
1、DENY:不能被嵌入到任何iframe或者frame中。
2、SAMEORIGIN:页面只能被本站页面嵌入到iframe或者frame中
3、ALLOW-FROM uri:只能被嵌入到指定域名的框架中
Syntax
There are two possible directives for X-Frame-Options
:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
Directives
If you specify DENY
, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN
, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
DENY
- The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
- The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (see bug 725490). Also see Browser compatibility for support details.
ALLOW-FROM uri
This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN
did — it doesn't check the frame ancestors to see if they are in the same origin. The Content-Security-Policy
HTTP header has a frame-ancestors
directive which you can use instead.