Mitigating framesniffing with the X-Frame-Options header

Article ID: 2694329 - View products that this article applies to.
Expand all | Collapse all

SUMMARY

Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack.

Administrators can mitigate framesniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.

MORE INFORMATION

The X-Frame-Options header
(http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx)
 can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  3. Double-click the HTTP Response Headers icon in the feature list in the middle.
  4. In the Actions pane on the right side, click Add.
  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  6. Click OK to save your changes.

If you have other sites that need this configuration, repeat steps 2 through 6 for those sites also.

This change will prevent HTML pages on other domains from hosting your site in an IFRAME. For example, if the Contoso IT department applies this change to http://contoso.com, pages at http://fabrikam.com will no longer be able to display content from http://contoso.com in an IFRAME.

You can modify the value of the X-Frame-Options header to allow http://fabrikam.com to frame http://contoso.com while blocking all other domains. To do this, change the value of the X-Frame-Options header in step 5 to ALLOW-FROM http://fabrikam.com.

For more information about the X-Frame-Options header, see this MSDN blog post
(http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx)
.

To revert the change, follow these steps:
  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder, and select the site where you made this change.
  3. In the feature list in the middle, double-click the HTTP Response Headers icon.
  4. In the list of headers that appears, select X-Frame-Options.
  5. Click Remove in the Actions pane on the right side.




Properties

Article ID: 2694329 - Last Review: March 24, 2012 - Revision: 1.0
APPLIES TO
  • Microsoft Office SharePoint Server 2007
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
  • Microsoft Windows SharePoint Services 3.0
Keywords: 
KB2694329
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top