Web XFS Prevention

Print Friendly and PDF Follow

Product ILLiad
Version 9.1
Ticket N/A

Purpose/Scope

The ILLiad 9.1.1 point release was issued to fix how ILLiad handles the HTTP headers to mitigate the potential risk of cross-frame scripting (XFS) in the ILLiad 9.1 web pages.
 

Resolution 

Two Customization Keys (HttpXFrameOptionsHeader and HttpContentSecurityPolicyHeader) were added to help define how ILLiad runs inside HTML frames to prevent vulnerabilities where the attacker hosts the target site in an iframe to intercept mouse clicks or keystrokes. The two customization keys each specify a header returned by the webserver to provide protection from such attacks for users on older browsers. Alternatively, the headers can be added as a policy for the entire server by the server admin.
 
 

HttpContentSecurityPolicyHeader

The customization key HttpContentSecurityPolicyHeader will add the Content-Security-Policy (CSP) header to responses from the ILLiad web server. The CSP header can be found in the web response HTTP headers. This header can support a number of policies; however, ILLiad will use this header to focus on the frame-related header directives. The key will accept any frame-related directive values listed in the Modizlla Developer Documentation but the recommended directive values for this key are:
  • frame-ancestors 'none';- The web page will not be displayed at all if it is in a frame. This is the default option when the key is added.
  • frame-ancestors 'self';- If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the same origin.
  • frame-ancestors{uri};- If the web page is loaded in a frame, it will be displayed only if its form was loaded from the specified URL. 

Combining Key Values

The Content-Security-Policy header values can be combined (e.g., 'none' and 'self') to add more refined restrictions. For example, if ILLiad returns a frame-ancestors directive of 'self' but the webserver administrator has the server return a directive of 'none', the most restrictive policy will take effect.

Example

If the HttpContentSecurityPolicyHeader key is set to a frame-ancestor policy of 'self' and the server admin sets a frame-ancestor policy of https://example.com, the browser will combine these directives and allow the page to be served in an iframe that originates from either the same domain (self) or from example.com.

If the Key is Left Blank

If the HttpContentSecurityPolicyHeader customization key is blank, the header will default to frame-ancestors 'none'. This prevents ILLiad from ignoring the X-Frame-Options headers set at the web server level because ILLiad will first check for the value of HttpContentSecurityPolicyHeader before checking the value of the HttpXFrameOptionsHeader.

HttpXFrameOptionsHeader

The customization key HttpXFrameOptionsHeader will add the X-Frame-Options header to responses from the ILLiad web server. These options are obsoleted by the frame-ancestor directives. The range of values for this key are described below to support older browsers if necessary:
  • deny- The web page will not be displayed at all if it is in a frame. This is the default option when the key is added.
  • sameorigin - If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the same origin.
  • allow-from{uri}- If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the specified URI. 

Combining Key Values

Do NOT set multiple values for the X-Frame-Options header because they will invalidate each other and end up not applying an X-Frame-Options header in the browser at all; even if it's just the same X-Frame-Options specified multiple times. For example, if both ILLiad and the web server are configured to return an X-Frame-Options header specifying deny, the browser will consider the value to be an invalid option and will not actually deny a page loaded in a frame. If the HttpXFrameOptionsHeader customization key is blank or not enabled, the header will not be added at all.

 

Questions?

If this article didn’t resolve your issue, please take a moment and answer a few questions to help improve our documentation:

Feedback