Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
It was brought to our attention that a website we manage was susceptible to potential clickjacking attacks, despite us knowing we've set the x-frame-options header using the Seckit module and that displaying the site in an iframe shouldn't be possible.
We've done a quick check and it turns out the site was loaded just fine in an <iframe>.
Investigating further it turns out the allow-from directive is obsolete and no longer respected by modern browsers (DENY and SAMEORIGIN are still ok to be used):
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
If set it basically behaves as if no header is present and allows the site to be displayed in an iframe. Instead of 'allow-from' the frame-ancestors CSP should be used.
Looks like 'allow-from' was always a partial solution as it was only supported by Firefox initially and not by Chrome nor Safari. See this discussion from 2012.
Note: this was raised as a security issue and was deemed safe by the security team to be public so am raising it here now.
I've raised this against latest branch but all have this option, including D7.
Steps to reproduce
Set X-Frame-Options value to 'ALLOW-FROM' and provide an allowed URL.
Create a very simple html file with <iframe width=100% height=80% src="https://www.mywebsite.com"></iframe> and load it in the browser.
The website will be loaded in the iframe and inspecting the Chrome Console output we see the error:
Invalid 'X-Frame-Options' header encountered when loading https://www.mywebsite.com: 'ALLOW-FROM' is not a recognized directive. The header will be ignored.
Proposed resolution
The option for 'ALLOW-FROM' should be removed to prevent others from relying on it and thinking the site was safe.
Along with the Origin URIs' text area as that would become obsolete afterwards.
The link in the box for "MSDN article" (http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clic...) is actually broken (a 403) so could be replaced with the Mozilla one: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
The helper text bellow X-Frame-Options with the possible values needs updating and potentially point people in the direction of using frame-ancestors instead of allow-from.
Comments
Comment #2
vishtg CreditAttribution: vishtg commentedThank you for opening this ticket.
We are getting same issue. Our site got scanned and reported as framable despite being set in seckit.
We need to find a solution please.
Comment #3
oldspot CreditAttribution: oldspot commentedThe solution really is to either set the value to Deny or Sameorigin depending on your website’s needs. In our case we just set to Deny.
The proposed resolution above is mainly to help people in the future by preventing them from choosing the broken option.
We’d also have to decide what value to set it to for sites that already have the value set to Allowfrom - should they default to Deny or Sameorigin?