Warm tip: This article is reproduced from serverfault.com, please click
apache iframe x-frame-options

X-Frame-Options not blocking iframe

发布于 2021-01-11 12:11:45

I have set the X-Frame-Options header in Apache to DENY. The response header is correctly sent to the browser (see image). I just created a simple HTML file that loads an iframe which is loaded without any issue. I also checked Chrome devtools and the response header returns "x-frame-options: DENY". I was assuming that the header would block all iframes from being loaded?

X-Frame-Options Response

Full Response Header

Questioner
Jordi
Viewed
0
分享
vovchisko 2021-01-11 23:59:47

Not really. X-Frame-Options: DENY prevent YOUR page from being loaded inside an iframe.

X-Frame-Options: SAMEORIGIN - will block only loading from other domains.

It does nothing with iframes on the current page.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a , ,

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Jordi 2021-01-12 10:23:12

That explains! I was misinterpreting ClickJacking attacks as injecting a malicious iframe (by exploiting other vulnerabilities) onto the original webpage which could than be prevented by telling the browser to deny loading iframes. But that is not the case, thanks a lot.

热门帖子

1
有什么不错的口粮茶推荐吗
2
求教 nas+盒子流畅观看 4k 原盘的方案
3
有人需要代开吗 虚拟卡付款 120 一月
4
BT 真的死了吗
5
Win11 绕过 TPM2.0 安装后能否正常更新
6
MES给制造业带来看得见的效益
7
2024 了 苹果为什么还是不上电荷泵?
8
Casvisor:带 Web UI 的开源堡垒机,支持 RDP、VNC、SSH 远程桌面、主机和数据库管理、批量执行命令、单点登录
9
App Store (iOS) 能不能赠送“内购项目”给别人?
10
移动芒果卡 59 月租升到 79,到处都不能办?!

热门github

1
A multi-platform library for OpenGL, OpenGL ES, Vulkan, window and input
2
Dev tool that writes scalable apps from scratch while the developer oversees the implementation
3
shadcn/ui, but for Svelte. ✨
4
The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
5
Performance-portable, length-agnostic SIMD with runtime dispatch
6
ZK Credo
7
OpenCodeInterpreter: Integrating Code Generation with Execution and Refinement
8
Joplin - the secure note taking and to-do app with synchronisation capabilities for Windows, macOS, Linux, Android and iOS.
9
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.
10
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
11
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
12
🎓 Path to a free self-taught education in Computer Science!
13
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
14
A collective list of free APIs
15
📚 Freely available programming books