CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

X-Frame-Options + browsers

Open drwetter opened this issue 5 months ago • 8 comments

  • Remove X-Frame-Options
  • Clarify use of headers

Please make sure that for your contribution:

  • [ ] In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • [x] All the markdown files do not raise any validation policy violation, see the policy.
  • [x] All the markdown files follow these format rules.
  • [ ] All your assets are stored in the assets folder.
  • [ ] All the images used are in the PNG format.
  • [ ] Any references to websites have been formatted as [TEXT](URL)
  • [ ] You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • [ ] The CI build of your PR pass, see the build status here.

drwetter avatar Jul 21 '25 07:07 drwetter

Discussing in Slack. Main question is what the source is that the x-frame-options header is deprecated.

szh avatar Jul 21 '25 13:07 szh

According to CanIUse X-Frame-Options support has been consistent (not complete, but consistent) for years.

https://caniuse.com/?search=x-frame-options

jmanico avatar Jul 21 '25 16:07 jmanico

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options gives no indications that its depreciated. The ALLOW-FROM origin is obsolete, but not the whole header.

psiinon avatar Jul 21 '25 16:07 psiinon

First of all, this is a REST API where the client is likely not a browser. I'd suggest to phrase that better in the cheat sheet. curl / java / php client etc do not care about those headers -- IMHO.

@jmanico : Caniuse says The X-Frame-Options header has been obsoleted by the frame-ancestors directive from Content Security Policy Level 2. It's way more flexible, maybe deprecated was the wrong term. Given that and the fact we're talking about a REST API I believe it doesn't hurt to remove that line here.

drwetter avatar Jul 21 '25 18:07 drwetter

First of all, this is a REST API where the client is likely not a browser. I'd suggest to phrase that better in the cheat sheet. curl / java / php client etc do not care about those headers -- IMHO.

Good suggestion, clarifying that this is for web browsers is a good idea.

@jmanico : Caniuse says The X-Frame-Options header has been obsoleted by the frame-ancestors directive from Content Security Policy Level 2. It's way more flexible, maybe deprecated was the wrong term. Given that and the fact we're talking about a REST API I believe it doesn't hurt to remove that line here.

REST API's are frequently used for web clients. But this header is very legacy and we need to clarify the details as the OP suggests.

I do not want to delete this but I do suggest we change with these two considerations:

  1. Change X-Frame-Options to X-Frame-Options AND/OR CSP frame-ancestors
  2. Explain this is only needed if this API serves web clients and that is not necessary if it does not

Would these suggestions help satisfy your concerns, @drwetter ?

jmanico avatar Jul 21 '25 22:07 jmanico

@drwetter what do you think about @jmanico suggestion?

mackowski avatar Oct 03 '25 12:10 mackowski

@drwetter ping ;-)

mackowski avatar Nov 14 '25 14:11 mackowski

Sorry for letting this hang. And thanks for your persistence!

My head is occupied with too much stuff. Like to get back latest on this in December during the first week.

drwetter avatar Nov 14 '25 14:11 drwetter