Shibboleth Developers

[Jim Fox <>]

Our login screen has one button that says 'Log in'.  Possibly someone
could be tricked into clicking that -- with an empty password.
Seems like a lot of work on the attackers part for very little gain.
I imagine the shib login screen is similar.

Most of our users don't use a really recent IE8, so the new header
would do them no good.  It wouldn't hurt them either.  It would be
nice to have a solution for everyone.

As far as the login page in an iframe:  If you do that the URL of
the IdP doesn't show up anywhere, does it?  How would the user know
this is the IdP's page and not a fake?  Why would someone do that?

Jim


> I would like to protect our IdP's users from clickjacking attacks [1] as he
> IdP's login page could be abused for those attacks. To mitigate clickjacking
> attacks, the X-Frame-Options header has been introduced [2].
>
> There are institutions who include the IdP login page as an iframe. This
> would no longer be possible if the X-Frame-Options header is used. For our
> federation, that wouldn't be a problem. What about the deployments you see?
>
> Do you agree that using the X-Frame-Options header would raise the security
> for the users?