X-FRAME-OPTIONS -- Am I missing something?

[thorin]

Has anyone seen this?

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

I ran across this blog entry at SANS:
https://blogs.sans.org/appsecstreetf...ptions-header/

But to me it seems like a big failure, unless I'm missing something.

1) As a malicious user you could simply remove this tag via a personal proxy, adblock rule, etc.
or
2) Couldn't you use javascript to load the page/object in a frame and strip this tag out? I'm sure javascript has the ability to request/filter content. (I'm thinking XMLHttpRequest, etc)

It's supposed to stop CSRF but if you can remove it from the page/frame how does it protect anything?

[webtrol]

Hi Thorin,
hmmm interesting link, i'm going to do some testing on this but my thoughts would be (before testing):

1) If you control proxy, you are MITM type situation and pretty much "All your base belong to us".

2) While I did not test this yet, I don't remember there being a general Header Object available on client side (so Javascript would not be able to manipulate those). XMLHttpRequest would only work with request not response header.
(exception being Windows- you could use MSXML2.ServerXMLHTTP activeX object)

While not perfect this could be one more thing to do to move in the right direction. I will look more closely at this when I get some free time (might find use for it)
thank you for the link!!!

Sin-cerely,
Trol