X-Frame-Options (response header) - security

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Post Reply
Posts
Registered User
Posts: 6
Joined: Thu Feb 05, 2009 6:16 pm

X-Frame-Options (response header) - security

Post by Posts »

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
https://developer.mozilla.org/en/the_x- ... nse_header

mediawiki is now using it:
https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
http://lists.wikimedia.org/pipermail/me ... 00093.html
Browser compatibility
Browser Lowest version
Internet Explorer 8.0
Firefox (Gecko) 3.6.9 (1.9.2.9)
Opera 10.50
Safari 4.0
Chrome 4.1.249.1042

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 137
Joined: Sun Dec 18, 2005 5:44 pm
Location: Texas
Contact:

Re: X-Frame-Options (response header) - security

Post by Noxwizard »

I can see its usefulness, but it would definitely need to be an option on the Security section of the ACP. A non-trivial amount of board owners operate their sites in frames, so we wouldn't want to alienate the users who integrate it with their site this way.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: X-Frame-Options (response header) - security

Post by naderman »

Indeed, this is not something we can enforce for all boards. An option would be a possibility but if it's not important enough for us to enforce on all boards, why clutter the ACP with more options? And realistically how many admins would enable this? So I think my vote is a nay.

Post Reply