Skip to Content.
Sympa Menu

shibboleth-dev - [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP

Subject: Shibboleth Developers

List archive

[Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP


Chronological Thread 
  • From: Patrik Schnellmann <>
  • To:
  • Subject: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP
  • Date: Tue, 27 Jul 2010 16:51:17 +0200

Hi all,

I would like to protect our IdP's users from clickjacking attacks [1] as he IdP's login page could be abused for those attacks. To mitigate clickjacking attacks, the X-Frame-Options header has been introduced [2].

There are institutions who include the IdP login page as an iframe. This would no longer be possible if the X-Frame-Options header is used. For our federation, that wouldn't be a problem. What about the deployments you see?

Do you agree that using the X-Frame-Options header would raise the security for the users?

Patrik

[1] http://www.owasp.org/index.php/Clickjacking
[2] http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

--
SWITCH
Serving Swiss Universities
--------------------------
Patrik Schnellmann, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
phone +41 44 2681559, fax +41 44 2681568
,
http://www.switch.ch



Archive powered by MHonArc 2.6.16.

Top of Page