Web XFS Prevention

Print Friendly and PDF Follow

Product ILLiad
Version 9.1
Ticket N/A

Purpose/Scope

The ILLiad 9.1.1 point release was issued to fix how ILLiad handles the HTTP headers to mitigate the potential risk of cross-frame scripting (XFS) in the ILLiad 9.1 web pages.
 

Resolution

Two Customization Keys (HttpXFrameOptionsHeader and HttpContentSecurityPolciyHeader) were added to help define how ILLiad runs inside HTML frames to prevent vulnerabilities where the attacker hosts the target site in an iframe to intercept mouse clicks or keystrokes. The two customization keys each specify a header returned by the webserver to provide protection from such attacks for users on older browsers.
 
 

HttpContentSecurityPolicyHeader

The customization key HttpContentSecurityPolicyHeader will add the Content-Security-Policy header to responses from the ILLiad web server. This header can support a number of policies; however, ILLiad will use this header to focus on the frame-related header directives. The key will accept any frame-related directive values listed in the Modizlla Developer Documentation but the recommended directive values for this key are:

  • frame-ancestors 'none';- The web page will not be displayed at all if it is in a frame. This is the default option when the key is added.
  • frame-ancestors 'self';- If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the same origin.
  • frame-ancestors{uri};- If the web page is loaded in a frame, it will be displayed only if its form was loaded from the specified URL.

Combining Key Values

The Content-Security-Policy header values can be combined (e.g., 'none' and 'self') to add more refined restrictions. For example, if ILLiad returns a frame-ancestors directive of 'self' but the webserver administrator has the server return a directive of 'none', the most restrictive policy will take effect.

If the Key is Left Blank

If the HttpContentSecurityPolicyHeader customization key is blank or not enabled, the header will default to frame-ancestors 'none'. This prevents ILLiad from ignoring the X-Frame-Options headers set at the web server level because ILLiad will first check for the value of HttpContentSecurityPolicyHeader before checking the value of the HttpXFrameOptionsHeader.

HttpXFrameOptionsHeader

The customization key HttpXFrameOptionsHeader will add the X-Frame-Options header to responses from the ILLiad web server. The range of values for this key are:

  • deny- The web page will not be displayed at all if it is in a frame. This is the default option when the key is added.
  • sameorigin - If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the same origin.
  • allow-from{uri}- If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the specified URI. This option is obsoleted by the frame-ancestors directive discussed next but should be defined to support older browsers if necessary.

Combining Key Values

Do NOT set multiple values for the X-Frame-Options header because they will invalidate each other and end up not applying an X-Frame-Options header in the browser at all; even if it's just the same X-Frame-Options specified multiple times. For example, if both ILLiad and the web server are configured to return an X-Frame-Options header specifying deny, the browser will consider the value to be an invalid option and will not actually deny a page loaded in a frame. 

If the Key is Left Blank

If the HttpXFrameOptionsHeader customization key is blank or not enabled, the header will not be added at all.

 

Questions?

If this article didn’t resolve your issue, please take a moment and answer a few questions to help improve our documentation:

Feedback