What do frame-ancestors or X-Frame-Options do?
The default web framing behavior lacks proper isolation
The web has a very open nature by default. You site or critical web application, will by-default "agree" to be embedded in any other website in the world. Moreover, it will include the authenticated cookies in the requests to your server.
frame-ancestors & X-Frame-Options (XFO) provide control on framing
You can explicitly limit the ability to embed your site the
CSP frame-ancestors and/or the legacy
X-Frame-Options. When you configure these HTTP Response Security Headers in web page responses the browsers will BLOCK the loading of the content in the iframe - even if it was approved and provided by the server.
Example of CSP frame-ancestors error code:
When you frame a site with
Content-Security-Policy HTTP response header set as
frame-ancestors: 'self'; in a different site, you will see:
Refused to frame 'https://SOME_SITE/' because it violates the following Content Security Policy directive: "frame-src 'self';".
Example of XFO error code:
When you frame a site with
X-Frame-Options HTTP response header set as
SAMEORIGIN in a different site, you will see:
Refused to display 'https://myaccount.google.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Why are frame-ancestors or X-Frame-Options Security Headers even needed?
Attackers can frame your site in theirs
As mentioned - your site is embeddable by default anywhere. This means that attackers can target your site if it has not limited the ability to be framed.
Clickjacking (UI redressing) is a creative attack in which the attacker lures the victim into their site, frames YOUR site in and invisible
iframe (or other frame), and causes the victim to perform unwanted actions in your site/application.
More on this Clickjacking in the PortSwigger Tutorial.
Even companies with top R&D talent are not immune to this attack. Attackers (and security researchers) are always finding creative ways to get around this inherent isolation problem in the web architecture.
See this case in a researcher found a way to eavesdrop on unsuspecting victims via a Clickjacking attacks on Google Docs:
How to Protect from Clickjacking
CSP frame-ancestors is the main strategy!!!
CSP frame-ancestors is the most important protection mechanism against external framing, and better than
X-Frame-Options in multiple ways:
- CSP Frame Ancestors can run in Report-Only Mode. This is a big deal when you want to roll-out protections on production systems in a safe way without causing regressions.
- CSP Frame Ancestors will send violation reports to your Report-Uri / Report-To. This is super important for mapping out risks and observing your traffic (in monitoring or enforced mode).
- Unlike XFO, CSP Frame Ancestors covers Ancestors. This means that it's more powerful and effective blocking for some use-cases like this report of a wormable clickjacking attack.
- CSP frame-ancestors is more flexible, allowing custom domains:
Content-Security-Policy: frame-ancestors 'self' mysubdomain.mysite.com https://frame.partner-site.com;
While this flexibility is theoretically supported by XFO
ALLOW-FROM- in practice it is not supported
X-Frame-Options is a graceful degradation for Clickjacking protection
More simply said - it's a fallback for crappy browsers that don't support CSP: ~5% of web traffic as of Nov 2021
So which should I use? XFO or CSP frame-ancestors?
Use BOTH CSP frame-ancestors and X-Frame-Options for best protection and coverage across browsers.
Benefits of running CSP frame-ancestors with RapidSec
Building your allowlist for
CSP frame-ancestors with RapidSec CSP generator is easy and effective, avoiding any regressions in your production systems.
CSP is also the underlying structure that we use for the RapidSec Clickjacking Threat detection:
Beyond CSP, there are other effective measures to protect against clickjacking, such as properly settings SAMESITE Strict / Lax cookies, but more on that in a future post. Read more in OWASP Clickjacking Defense Cheat Sheet.
Running these clickjacking protection headers is an essential part of maintaining a proper web security posture!
Looking for an enterprise-grade CSP solution? Book a RapidSec demo today.