Problem/Motivation
It was brought to our attention that a website we manage was susceptible to potential clickjacking attacks, despite us knowing we've set the x-frame-options header using the Seckit module and that displaying the site in an iframe shouldn't be possible.
We've done a quick check and it turns out the site was loaded just fine in an <iframe>
.
Investigating further it turns out the allow-from directive is obsolete and no longer respected by modern browsers (DENY and SAMEORIGIN are still ok to be used):
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
If set it basically behaves as if no header is present and allows the site to be displayed in an iframe. Instead of 'allow-from' the frame-ancestors CSP should be used.
Looks like 'allow-from' was always a partial solution as it was only supported by Firefox initially and not by Chrome nor Safari. See this discussion from 2012.
Note: this was raised as a security issue and was deemed safe by the security team to be public so am raising it here now.
I've raised this against latest branch but all have this option, including D7.
Steps to reproduce
Set X-Frame-Options value to 'ALLOW-FROM' and provide an allowed URL.
Create a very simple html file with <iframe width=100% height=80% src="https://www.mywebsite.com"></iframe>
and load it in the browser.
The website will be loaded in the iframe and inspecting the Chrome Console output we see the error:
Invalid 'X-Frame-Options' header encountered when loading https://www.mywebsite.com: 'ALLOW-FROM' is not a recognized directive. The header will be ignored.
Proposed resolution
The option for 'ALLOW-FROM' should be removed to prevent others from relying on it and thinking the site was safe.
Along with the Origin URIs' text area as that would become obsolete afterwards.
The link in the box for "MSDN article" (http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clic...) is actually broken (a 403) so could be replaced with the Mozilla one: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
The helper text bellow X-Frame-Options with the possible values needs updating and potentially point people in the direction of using frame-ancestors instead of allow-from.
Remaining tasks
User interface changes
API changes
Data model changes