Results 1 to 2 of 2

Thread: X-FRAME-OPTIONS -- Am I missing something?

  1. #1
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010

    Default X-FRAME-OPTIONS -- Am I missing something?

    Has anyone seen this?

    Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

    I ran across this blog entry at SANS:

    But to me it seems like a big failure, unless I'm missing something.

    1) As a malicious user you could simply remove this tag via a personal proxy, adblock rule, etc.
    2) Couldn't you use javascript to load the page/object in a frame and strip this tag out? I'm sure javascript has the ability to request/filter content. (I'm thinking XMLHttpRequest, etc)

    It's supposed to stop CSRF but if you can remove it from the page/frame how does it protect anything?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  2. #2
    Member webtrol's Avatar
    Join Date
    Jan 2010


    Hi Thorin,
    hmmm interesting link, i'm going to do some testing on this but my thoughts would be (before testing):

    1) If you control proxy, you are MITM type situation and pretty much "All your base belong to us".

    2) While I did not test this yet, I don't remember there being a general Header Object available on client side (so Javascript would not be able to manipulate those). XMLHttpRequest would only work with request not response header.
    (exception being Windows- you could use MSXML2.ServerXMLHTTP activeX object)

    While not perfect this could be one more thing to do to move in the right direction. I will look more closely at this when I get some free time (might find use for it)
    thank you for the link!!!


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts