IEBlog

IE8 in Win7 doesn't start with an empty cookie jar

> Unfortunately, typical frame-busting mechanisms rely on script and as a result can be defeated in various ways.

I'm curious as to how one can defeat a simple frame-busting script. From what I read on the web it can't be done. Anyone found any proof of concept?

Can you guys please fix the zooming in/out when viewing huge images?

it lags a lot, firefox 3 doesn't have this problem.

here is a picture for example:

http://spaceflight.nasa.gov/gallery/images/shuttle/sts-109/hires/sts109-729-072.jpg

open it in IE8 RC1, wait for it to load completely then see how extremely laggy zooming get.

testing testing testing...  please ignore.  typing enough so this won't be flagged as spam.  blah blah blah blah blah

Instead of inventing a specific header for just this problem, did you guys consider adding a stanza to something more general, like Content Security Policies?

http://people.mozilla.org/~bsterne/content-security-policy/details.html

A "parent-src" option there would achieve the same thing, but would also allow you to extend your implementation to support the other desirable things in CSP for the prevention of other cross-site content issues. At this rate, we are going to have a header for each security issue we discover with the web. X-Prevent-CVE-2009-1245: yes?

A small amount of discussion with other vendors prior to your announcement would have allowed ideas like this to be considered much more easily. You now have a problem in that if you do decide that not everything useful is invented at Microsoft and adapt to use a more generic mechanism such as CSP, you have to tell everyone you've changed the name of the header you've chosen. :-((

Gerv

@Gerv: Yes, making this a part of Content Security Policy and the like was considered, a point I alluded to in the conclusion.  The reality is that adding CSP-like mechanisms is out of scope for IE8, and this is an issue that we wanted to address in the short-term.

As noted in the post, we did have conversations with other browser venders in December about what we were doing and why. As for the suggestion that the "Don't frame me" header is somehow a unique Microsoft invention-- that's not the case, as demonstrated by links in the post.  

@Anonymous Hippopatamus: On RC1 of IE8 and later, InPrivate starts with an empty cookie jar.  This wasn't true in Beta builds.

@Analgesia: There are a number of techniques that can cause frame-busting scripts to fail.  For instance, if the user has scripting disabled, or, if the frame has the SECURITY=RESTRICTED attribute set, etc.

@EricLaw: thanks for replying so quickly :-) I'm not asking you to implement CSP, just to get as far as saying "that seems like a good idea" and therefore pick a CSP-compatible syntax rather than inventing another header. So:

X-Content-Security-Policy: parent-src none

rather than

X-Frame-Options: deny

and the same for "self" mapping to your "sameorigin". This would require, I would assume, only a few string changes on your side from what you currently have already, and yet would mean we didn't get proliferating headers solving every different kind of security issue, causing web developer confusion and response bloat. I can imagine, for example, a "CSP Constructor" website which made an X-CSP header based on the requirements you entered.

BTW, dveditz commented in our bug https://bugzilla.mozilla.org/show_bug.cgi?id=475530 that "sameorigin" is the same as "deny" unless you don't trust your own site - and if your own site is untrustworthy, they could use XHR to get the data anyway. So the two are effectively equivalent. Is that your understanding?

Gerv

Since the release of Internet Explorer 8 beta 2, we’ve listened, watched and learned a lot about how

@Gerv: The comment: "We look forward to ... a larger security policy feature" was meant to suggest that I think CSP is a good idea.  The problem in targeting a moving spec is that if we ship something that isn't compatible with the future evolution of that spec, we're inevitably pilloried for hurting adoption of that spec.  So until we're ready to support a stable CSP spec, we're surgically addressing this vector.

The question of when to use DENY and when to use SAMEORIGIN is an interesting one.  It comes down to the expected use case for the page protected with the directive.  If you never expect the page to be framed, you should use DENY.  If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN.

Keep in mind that if you use SAMEORIGIN, IE8 will forbid framing only if the *top-level* origin FQDN (aka what you see in the address bar) does not match the FQDN of the page that demanded SAMEORIGIN.

So, if your site permits hosting of arbitrary frames (say you've got a page like:  http://victimSite.com/FrameIt.asp?embedframeURL=Attacker.com/eviloverlay), it should NOT use SAMEORIGIN and should use DENY instead.  

Otherwise, VictimSite is vulnerable to ClickJacking by Attacker.com by virtue of the fact that the top-level document (victimsite.com/Frameit.asp) and the grandchild frame (victimsite.com/target.asp) are same-origin.

Eric: Ah, right. Thanks for the explanation :-)

IEBlog も一気呵成でお疲れ様ですが。 IE8 プレテストスイート 的な Windows Internet Explorer Testing Center...

X-FRAME-OPTIONS seems to be a bit limited since you cannot explicitly allow framing by a set of 'trusted' domains. With regards to SAMEORIGIN; does document.domain play a part in that (e.g. when you set that for domain relaxation?).

Another question is: can you also set it as a META http-equiv?

@Tino: Yes, the fact that X-FRAME-OPTIONS does not support a list of domains is a limitation.  As noted previously, I believe that framing restrictions will eventually become a part of a richer ACL'ing model.  For now, we believe the feature has significant value for the many cases where it's reasonable to host certain CSRF-sensitive pages only in their origin domain.

Document.domain does not figure in; the actual origin FQDN is used rather than document.domain. This reduces attack surface against the various hacks that might be attempted otherwise (e.g. evil.users.spaces.live.com tries to CJ against live.com)

At the moment, our recommendation is to use the HTTP Header.  In the future, more formal guidance will be available on MSDN in the developer documentation.

@Tino: I suspect all of the current browser vendors deeply regret document.domain and will strenuously resist adding new capabilities to that gaping hole in the same-origin policy. Document.domain is unnecessary, the uses it was invented to enable can be accomplished in many other ways with modern browsers.

> I'm curious as to how one can defeat a simple frame-busting script. From what I read on the web it can't be done. Anyone found any proof of concept?

This can be defeated only with IE's non-standard html extension to my knowledge: [IFRAME security="restricted"] That will prevent the iframe from "breaking out". So they created a workaround to fix a problem they created. Fantastic.

fearphage, no, there are several other ways to defeat framebusters (do a little research).

And you're completely forgetting that the user might have Javascript disabled.

@EricLaw: I see that a lot of ideas have been proposed already, and I know IE8's feature set is locked down.  

For the future, one idea I haven't seen is stricter default policies when the target of a cross-site frame is HTTPS.  Maybe secure form submissions from those frames pop up a warning dialog.  

HTTPS is an interesting special case because it would have less compatibility impact (most ads aren't secure) and secure sites tend to be the type that most need security-by-default.

Naturally, you'd have to be convinced that the security gain is worth the devel and compatibility cost; seemed interesting, anyway.

(Or, more aggressively: make HTTPS pages default to X-FRAME-OPTIONS: SAMEORIGIN.  Again, you'd have to know what it would break and decide if it's worth the inevitable developer wrath.)

Dumb question...

The http header has to be capitalized?

Regards

Randall--

"For the future, one idea I haven't seen is stricter default policies when the target of a cross-site frame is HTTPS.  Maybe secure form submissions from those frames pop up a warning dialog."

"(Or, more aggressively: make HTTPS pages default to X-FRAME-OPTIONS: SAMEORIGIN.  Again, you'd have to know what it would break and decide if it's worth the inevitable developer wrath.)"

Thanks.  I have been waiting for some explanation and points of discussion on such.

Your last suggestion appears to be an excellent point. Developer wrath or not, the first responsibility for security lies with the developer and the content and without passing the proverbial buck onto the browser 'sandbox'.

----------

In terms of IE8 RC1, crashes and off-topic points, it appears that possibly Adobe's PDF add-ons are causing the RC1 to crash. Whatever major plug-ins/addons cause such problems, it is not good.

@Doubt Guy: Nope, HTTP Header names are case-insensitive per RFC2616.

Hi, my name is Kymberlee Price, and I recently joined the Internet Explorer team as a Security Program

Kymberlee Price, Security Program Manager for IE8 posts about Clickjacking feature in IE8 RC1 ......

Clickjacking is one of those nightmare situtations for your customers. And the attack on your Web site

IE8 team has this awesome post on this topic which you can read here ! Enjoy :-) Yours, Rohan

Изменения взаимодействия с пользователем в IE8 RC1 После выпуска Internet Explorer 8 Beta 2, мы внимательно

4 Reasons We Must Redefine Web Application Security

Nejjednodušší odpověď je obojí. Ale pokud bych si jako koncový uživatel i jako vývojář měl dnes vybrat,

Nejjednodušší odpověď je obojí. Ale pokud bych si jako koncový uživatel i jako vývojář měl dnes vybrat,