HTTP Header Field X-Frame-Options
draft-ietf-websec-x-frame-options-08

The information below is for an old version of the document
Document Type Active Internet-Draft (websec WG)
Last updated 2013-08-12 (latest revision 2013-08-11)
Replaces draft-gondrom-x-frame-options
Stream IETF
Intended RFC status Informational
Formats plain text pdf html
Stream WG state Submitted to IESG for Publication
Consensus Yes
Document shepherd Yoav Nir
Shepherd write-up Show (last changed 2013-07-15)
IESG IESG state IESG Evaluation
Telechat date
Responsible AD Barry Leiba
Send notices to websec-chairs@tools.ietf.org, draft-ietf-websec-x-frame-options@tools.ietf.org, websec@ietf.org
IANA IANA review state Version Changed - Review Needed
IANA action state None
WEBSEC                                                           D. Ross
Internet-Draft                                                 Microsoft
Intended status: Informational                                T. Gondrom
Expires: February 12, 2014                                Thames Stanley
                                                         August 11, 2013

                   HTTP Header Field X-Frame-Options
                  draft-ietf-websec-x-frame-options-08

Abstract

   To improve the protection of web applications against Clickjacking,
   this definition describes the X-Frame-Options HTTP response header
   field that declares a policy communicated from the server to the
   client browser on whether the browser may display the transmitted
   content in frames that are part of other web pages.  This
   informational document serves to document the existing use and
   specification of this X-Frame-Options HTTP response header field.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 12, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Ross & Gondrom          Expires February 12, 2014               [Page 1]
Internet-Draft               X-Frame-Options                 August 2013

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  X-Frame-Options Header  . . . . . . . . . . . . . . . . . . .   3
     2.1.  Syntax  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.   Augmented Backus-Naur Form (ABNF)  . . . . . . . . . . .   4
       2.2.1.  Examples of X-Frame-Options . . . . . . . . . . . . .   5
     2.3.  Design Issues . . . . . . . . . . . . . . . . . . . . . .   5
       2.3.1.  Enable HTML content from other domains  . . . . . . .   5
       2.3.2.  Browser Behaviour and Processing  . . . . . . . . . .   6
         2.3.2.1.  Violation of X-Frame-Options  . . . . . . . . . .   6
         2.3.2.2.  Variation in current browser behaviour  . . . . .   6
         2.3.2.3.  Usage design pattern and example scenario for the
                   ALLOW-FROM parameter  . . . . . . . . . . . . . .   7
   3.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  Registration Template . . . . . . . . . . . . . . . . . .   7
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
     5.1.  Privacy Considreations  . . . . . . . . . . . . . . . . .   8
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Appendix A.  Browsers that support X-Frame-Options  . . . . . . .  10
   Appendix B.  Description of a Clickjacking attack . . . . . . . .  10
     B.1.  Shop  . . . . . . . . . . . . . . . . . . . . . . . . . .  11
     B.2.  Online Shop Confirm Purchase Page . . . . . . . . . . . .  11
     B.3.  Flash Configuration . . . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   In 2009 and 2010 many browser vendors ([Microsoft-X-Frame-Options],
   [CLICK-DEFENSE-BLOG], [Mozilla-X-Frame-Options]) introduced the use
   of a non-standard HTTP [RFC2616] header field "X-Frame-Options" to
   protect against Clickjacking [Clickjacking].  HTML-based web
Show full document text