shibboleth-dev - [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP

Subject: Shibboleth Developers

List archive

[Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP

From: Patrik Schnellmann <>
To:
Subject: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP
Date: Tue, 27 Jul 2010 16:51:17 +0200

Hi all,

I would like to protect our IdP's users from clickjacking attacks [1] as he IdP's login page could be abused for those attacks. To mitigate clickjacking attacks, the X-Frame-Options header has been introduced [2].

There are institutions who include the IdP login page as an iframe. This would no longer be possible if the X-Frame-Options header is used. For our federation, that wouldn't be a problem. What about the deployments you see?

Do you agree that using the X-Frame-Options header would raise the security for the users?

Patrik

[1] http://www.owasp.org/index.php/Clickjacking
[2] http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

--
SWITCH
Serving Swiss Universities
--------------------------
Patrik Schnellmann, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
phone +41 44 2681559, fax +41 44 2681568
,
http://www.switch.ch

[Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Patrik Schnellmann, 07/27/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/27/2010
  - Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Etienne Dysli, 07/29/2010
    - Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Leif Johansson, 07/29/2010
      - Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/29/2010
  - Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Patrik Schnellmann, 07/29/2010

List archive

[Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP