shibboleth-dev - [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP
Subject: Shibboleth Developers
List archive
- From: Patrik Schnellmann <>
- To:
- Subject: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP
- Date: Tue, 27 Jul 2010 16:51:17 +0200
Hi all,
I would like to protect our IdP's users from clickjacking attacks [1] as he IdP's login page could be abused for those attacks. To mitigate clickjacking attacks, the X-Frame-Options header has been introduced [2].
There are institutions who include the IdP login page as an iframe. This would no longer be possible if the X-Frame-Options header is used. For our federation, that wouldn't be a problem. What about the deployments you see?
Do you agree that using the X-Frame-Options header would raise the security for the users?
Patrik
[1] http://www.owasp.org/index.php/Clickjacking
[2] http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
--
SWITCH
Serving Swiss Universities
--------------------------
Patrik Schnellmann, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
phone +41 44 2681559, fax +41 44 2681568
,
http://www.switch.ch
- [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Patrik Schnellmann, 07/27/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/27/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Etienne Dysli, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Leif Johansson, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Leif Johansson, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Patrik Schnellmann, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Etienne Dysli, 07/29/2010
- Re: [Shib-Dev] Clickjacking: X-Frame-Options HTTP header for the IdP, Jim Fox, 07/27/2010
Archive powered by MHonArc 2.6.16.