WTF Is X-Frame-Options?
A console error alerts the author to an unknown security feature that prevented iframe functionality.
Join the DZone community and get the full member experience.Join For Free
Here’s a fun way to waste an afternoon:
- You have a user flow that involves reading user docs: some gDocs, some YouTube videos, and some UI practice links of your own.
- Opening these in a new tab is annoying, right?
- So you move them into modals using
- Everything works!
- Then, you give it to QA…
- 2 out of 8 links don’t open for them.
Every link opens a modal with an iframe. That part works. Two of the links – a YouTube video and a UI practice widget – never load.
You think it might be a slowness issue because you wait a few seconds and there’s no loading indicator. So you ask them to wait… doesn’t help. QA waits for many minutes but the two
iframes stay blank.
You investigate. It still works for you. But QA is using Windows.
You find a Windows machine, do the Windows 10 forced update dance, and download the latest Chrome. It’s not a computer you use very often. The touchpad feels funny.
iframes, they don’t load. Wut.
The console sheds a clue: Refused to display because it set
What the hell is X-Frame-Options? Why does Google only return results and StackOverflow questions from 2010, 2012, and 2013. Most of them still in PHP! Why have I not heard of this!?
X-Frame-Options: SAMEORIGIN is an HTTP header that guards websites against clickjacking attacks. It tells browsers, “Yo, don’t open this page in an iframe”.
YouTube sets the header for URLs that aren’t
embed links, which explains the single YT link that didn’t work in my case. I was using
embed links for all but one of them.
And our own practice-the-interface link?
Rails 4 sets
X-Frame-Options: SAMEORIGIN for everything as a default security measure. I just never noticed before.
At least it was easy to fix – don’t send the header.
But why did it work on my computer?
At first, I thought maybe it’s because Chrome Mac and Chrome Windows behave differently. I tried on a coworker’s machine, and it didn’t work. It stopped the
iframes like it’s supposed to.
Then I thought, “Maybe it’s because I’m on localhost.” Nope, wasn’t that.
Maybe it figures out
swizec.ngrok.io points to my local machine? Wait… the YouTube link worked, so it can’t be that.
…Why doesn’t my computer protect me from clickjacking? This is not ideal…
But hey, at least I know about X-Frame-Options now. That was fun.
Published at DZone with permission of Swizec Teller, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.