X-Frame-Options ALLOW-FROM in firefox and chrome

Question

I m implementing a  pass-through  for X-Frame-Options to let a partner site wrap my employer s site in an iframe  as per this article  http   blogs msdn com b ieinternals archive 2010 03 30 combating-clickjacking-with-x-frame-options aspx   splitting up URLS to post   In a nutshell  our partner s page has an iframe with an URL against our domain  For any page in our domain  they ll add a special url argument like  amp  mykey topleveldomain com  telling us what the page s top level domain is   Our filters pick up the partner TLD  if provided  from the URL  and validate it against a whitelist   If it s on the list  we ship the X-Frame-Options header with value ALLOW-FROM topleveldomain com  and add a cookie for future clicks    If it s not on our whitelist  we ship SAMEORIGIN or DENY   The problem is it looks like sending ALLOW-FROM domain results in a no-op overall for the latest Firefox and Google Chrome   IE8  at least  seems to be correctly implementing ALLOW-FROM   Check out this page   http   www enhanceie com test clickjack   Right after the 5th  of 5  boxes that  should be showing content   is a box that should NOT be showing content  but which is   In this case  the page in the iframe is sending X-Frame-Options  ALLOW-FROM http   www debugtheweb com  a decidedly different TLD than http   www enhanceie com   Yet  the frame still displays content   Any insight as to whether X-Frame-Options is truly implemented with ALLOW-FROM across relevant  desktop  browsers   Perhaps the syntax has changed   Some links of interest     Draft rfc on x-frame-options  http   tools ietf org html draft-gondrom-frame-options-01 developer mozilla article discussing the header as a 2-option header  sameorigin or deny    https   developer mozilla org en-US docs Web HTTP X-Frame-Options msdn blog that initiated the whole thing  http   blogs msdn com b ie archive 2009 01 27 ie8-security-part-vii-clickjacking-defenses aspx msdn blog that talks about 3 values  adding allow-from origin http   blogs msdn com b ieinternals archive 2010 03 30 combating-clickjacking-with-x-frame-options aspx

User · Answer

For Chrome  instead of    response AppendHeader  X-Frame-Options    ALLOW-FROM     host     you need to add Content-Security-Policy   string selfAuth   System Web HttpContext Current Request Url Authority  string refAuth   System Web HttpContext Current Request UrlReferrer Authority  response AppendHeader  Content-Security-Policy    default-src  self   unsafe-inline   unsafe-eval  data    msecnd net vortex data microsoft com     selfAuth         refAuth     to the HTTP-response-headers    Note that this assumes you checked on the server whether or not refAuth is allowed   And also  note that you need to do browser-detection in order to avoid adding the allow-from header for Chrome  outputs error on console    For details  see my answer here

User · Answer

ALLOW-FROM is not supported in Chrome or Safari   See MDN article  https   developer mozilla org en-US docs Web HTTP X-Frame-Options  You are already doing the work to make a custom header and send it with the correct data  can  you not just exclude the header when you detect it is from a valid partner and add DENY to every other request   I don t see the benefit of AllowFrom when you are already dynamically building the logic up

User · Answer

I posted this question and never saw the feedback  which came in several months after  it seems      As Kinlan mentioned  ALLOW-FROM is not supported in all browsers as an X-Frame-Options value   The solution was to branch based on browser type  For IE  ship X-Frame-Options  For everyone else  ship X-Content-Security-Policy   Hope this helps  and sorry for taking so long to close the loop

[firefox] X-Frame-Options: ALLOW-FROM in firefox and chrome

Examples related to firefox

Examples related to google-chrome

Examples related to x-frame-options

Examples related to clickjacking