1

I found an interesting bug report related to X-Frame-Options header. But I dont understand how this can be security problem.

Following code is given as proof of vulnerability:

require 'net/http'  
require 'uri'  
uri = URI.parse("https://play.google.com/#{"a" * 10000}")  
@r = Net::HTTP.get_response uri  
ret = @r.each_header {|x| puts x}  
if ret["x-frame-options"]  
  puts ret["x-frame-options"]  
else  
  puts "Missing x-frame-options!"  
end

But it is trying to access an invalid URL (https://play.google.com/aaaaaaaaa...) and returns an error page. In the response, x-frame-options header is missing. I don't understand how this can be a security vulnerability (since it is a invalid page and its a error response)? How this can be used for clickjacking? Why is it important for the error response also should have this header set?

aMa
  • 629
  • 3
  • 10
  • 19
  • Probably better asked on http://security.stackexchange.com. – SilverlightFox Feb 15 '15 at 12:09
  • An error page is just an HTML page like every other. In Google Play's case their system does not put the `X-Frame-Options` header in the HTTP response to generate the error page. This means that that page is _potentially_ vulnerable to clickjacking if there's anything on it that an attacker can gain from tricking the user to click there. It is not clear from the link what is displayed on this page - if you can show an app's install button then you could possible get the user to install your malicious app. – SilverlightFox Feb 15 '15 at 12:20

1 Answers1

3

You can add following line to .htaccess

Header always unset X-Frame-Options
Martin
  • 1,385
  • 15
  • 21