Symantec Access Management

Tech Tip - CA Single Sign-On: Web Agent : X-Frame-Options Introduced

By Ujwol posted 03-31-2016 11:57 PM

  

Posted by Ujwol Shrestha Employee in CA Security on April 1 2016 2:42:50 PM

 

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on April 1 2016

 

Questions

  • What is X-Frame-Options response header? What is the implication of setting it ?
  • What are the different options for X-Frame-Options response header?
  • What are the other considerations ?
  • Does Single Sign-On Web Agent have support for X-Frame-Options response header?

 

Answers

 

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

 

X-Frame-Options Header Types

There are three possible values for the X-Frame-Options header:

  • DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.
  • SAMEORIGIN, which only allows the current site to frame the content.
  • ALLOW-FROM uri, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com)

 

Browser Support

The following browsers support X-Frame-Options headers.

BrowserDENY/SAMEORIGIN Support IntroducedALLOW-FROM Support Introduced
Chrome4.1.249.1042Not supported/Bug reported
Firefox (Gecko)3.6.9 (1.9.2.9)18.0
Internet Explorer8.09.0
Opera10.50
Safari4.0Not supported/Bug reported

 

Note :

  • X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it was never standardized and has been deprecated in favour of the frame-ancestors directive from the CSP Level 2 specification.

 

Single Sign-on Web Agent support for X-Frame-Options

 

Single Sign-on Web Agent r12.5 (as of CR5) does not have support for XFrameOptions ACO Parameter.

It also drops the X-Frame-Options header even if the header is set from the Web Server directly.

For e.g To configure Apache to send the X-Frame-Options header for all pages, you will add following configuration to your site's configuration (httpd.conf):

 

     Header always append X-Frame-Options SAMEORIGIN

However, even when you have this, if the WebSite is protected by SiteMinder web agent, it drops this header from reaching to the client/browser.

In other words, Single Sign-on Web Agent doesn't honor the web-server setting for X-Frame-Options.

 

Single Sign-on Web Agent r12.51 CR4 and above does have support for XFrameOptions ACO Parameter.

The options for the XFrameOptions parameter are the same as the values for the X-Frame-Options response header:

Options: DENY, SAMEORIGIN, ALLOW-FROM uri

r12.51 CR4 and above Web Agent, also do honor this header if it is being set by the WebServer itself and let the header pass to the client/browser.

 

References

Clickjacking Defense Cheat Sheet - OWASP

The X-Frame-Options response header - HTTP | MDN

Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

0 comments
3 views

Permalink