28
Jan

IE 8 Clickjacking Protection

   Posted by: Joshbw   in Browser/Web Security

Eric Lawrence has a pretty thorough writeup on the IE 8 blog concerning *some* protection that IE 8 now offers to avoid clickjacking. In essence there is now a new response header that can be sent back, X-FRAME-OPTIONS, that instructs IE on which behavior should be followed if the website happens to be in a frame, and can be used in conjunction with same origin to ensure that only that domain may frame a particular page.

This is by no means a bullet proof fix especially as it is up to web developers to actually go and use the response header. I can hope that other browser vendors, as well as previous versions of IE, implement this header and behave in the same manner as it will increase uptake (just as the gradual support by browser vendors of HTTP Only has seen a corresponding uptake of people using it to protect cookies). It’s nice to have an option to control frame behavior without hack-y javascript (at least in IE, whose framebusting javascript is no where near as good as in every other browser). Regardless, as this is a server side fix it is up to developers to do something- clients are still stuck using NoScript on Firefox as the only solution they have control over. It will be a long time before this change has any impact.

~ Joshbw

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Live
This entry was posted on Wednesday, January 28th, 2009 at 11:09 am and is filed under Browser/Web Security. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed at this time.

Back to top