Microsoft IE8 introduced it, Apple Safari4 has it, Google Chrome4 does it and now somewhere in the not too distant future, Firefox will ship it too; support for X-FRAME-OPTIONS.
X-cuse-me? Well, X-FRAME-OPTIONS is the HTTP response header that broke Google Talk chat badge a few months ago, remember? It allows you to specify whether your site or page can be (i)framed or not, by setting it to “DENY” (not allowed to be framed) or “SAMEORIGIN” (allowed if the framing site is on the exact same domain). The most important reason for this functionality is as a prevention-mechanism for “clickjacking” (a.k.a. UI redressing), a type of web attack that tries to trick victims into clicking a framed site by hiding it behind another innocent element.
So now that feature is finally coming to Firefox as well; Mozilla’s Brendan Sterne, one of the driving forces behind Mozilla’s much broader content security policy, grabbed the bug by the balls and came up with a first patch. If all goes well, this would be an ideal candidate to get pushed out with a minor version update as per the new release process, no?
Disaster has struck e-civilization; Google Talk chatback badges (as seen in the right column on this very blog) are broken! The small iframe remains grey in Firefox, but with some scrolling the following message can be seen:
This content cannot be displayed in a frame
To protect your security, the publisher of this content does
not allow it to be displayed in a frame.
Click here to open this content in a new window
Googling that error-message brings up a blogpost that explains what is going on: the http response-header of the page in the iframe includes “x-frame-options: sameorigin“. And that directive tells most modern browsers not to display the page in the iframe (because it is not embedded in a page of the same origin), to protecting you from possible clickjacking.
x-frame-options was introduced by Microsoft in IE8’s and seems to be implemented in Safari 4 and Chrome 3 as well. Firefox on the other hand hasn’t included this feature (yet?), but I got the error message thanks to the great Firefox NoScript security-extension which -somewhat reluctantly- provides “bullet parity” with IE8’s security features this way (you can stop NoScript from doing this by setting “noscript.frameOptions.enabled” to “false” in about:config).
But back to the root of this problem: Google is breaking their own Talk chatback badge by adding “x-frame-options: sameorigin” to the response headers. Weird huh?