0

It seems setting X-Frame-Options to deny is the most recommended method to prevent my website from being Iframed. But it is not perfect. First off X-Frame-Options can be ignored by using a Chrome extension as discussed in the below post. I have proved this is the case by using the Ignore X-Frame headers chrome extension.

Getting around X-Frame-Options DENY in a Chrome extension?

Secondly X-Frame-Options deny only works on the first iframe of a web page, if I iframe a web page twice the second iframe works.

My question is, what is the best multipronged approach to prevent my website from being iframed?

user1609391
  • 445
  • 1
  • 9
  • 24

1 Answers1

0

X-Frame-Options is just a response header. Of course if you control the client, you can ignore it. If you control the client, you can do pretty much anything.

The point in X-Frame-Options is to prevent attacks like Clickjacking (primarily) or Pixel Perfect Timing Attacks for example. It does indeed prevent those attacks, because the attacker cannot control the victim's browser to say install an extension (or if he can, Clickjacking is the least issue from the victim's perspective :) ).

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
  • Thank you for your response. You stated "if you control the client, you can ignore it", does that mean if a user (client) has a chrome extension installed that extension has control of the clients computer? – user1609391 Mar 02 '18 at 22:48
  • Well, an extension can't do anything, but it has a lot of control over webpages loaded in the browser, it may have some level of access (maybe limited I guess) to the filesystem, etc. I'm not an expert in extensions, and it may differ by browser, so have a look at docs! But an extension definitely does have access to webpages in the browser if the user grants that access, it can read and modify them, can get any data entered by the user in pages, etc. – Gabor Lengyel Mar 02 '18 at 22:56
  • @Garbor thank you again. As far as preventing my site from being iframed is the X-Frame-Options the best approach? – user1609391 Mar 02 '18 at 23:47
  • @user1609391 I would say yes, because it's very simple and compatible. A newer but somewhat more complex alternative is [Content-Security-Policy: frame-ancestors 'none'](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors). If you are unsure, go for X-Frame-Options. – Gabor Lengyel Mar 03 '18 at 00:57