Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a client-side way to detect X-Frame-Options?

Is there any good way to detect when a page isn't going to display in a frame because of the X-Frame-Options header? I know I can request the page serverside and look for the header, but I was curious if the browser has any mechanism for catching this error.

like image 455
Newtang Avatar asked Oct 31 '11 05:10

Newtang


People also ask

Is X-Frame-options obsolete?

X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it has been obsoleted in favour of the frame-ancestors directive from the CSP Level 2 specification. Proxies Web proxies are notorious for adding and stripping headers.

Does Chrome support X-Frame-options allow-From?

Chrome does not support the ALLOW-FROM directive in X-Frame-Options. So if we are going to do anything involving other domains, we need something similar. We can stitch together a patchwork configuration involving both headers, which does something more than just allow same-origin framing.

Is X-Frame-options SAMEORIGIN secure?

X-Frame-Options allows content publishers to prevent their own content from being used in an invisible frame by attackers. The DENY option is the most secure, preventing any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it does enable the use of frames, but limits them to the current domain.

What happens if X-Frame-options is not set?

When X-Frame-Options Header is not set your application pages can be embedded within any other website with no restrictions, e.g. to create a malicious page with your original content augmented with dangerous fragments including phishing attempts, ads, clickjacking code, etc.


2 Answers

OK, this one is old but still relevant.

Fact: When an iframe loads a url which is blocked by a X-Frame-Options the loading time is very short.

Hack: So if the onload occurs immediately I know it's probably a X-Frame-Options issue.

Disclaimer: This is probably one of the 'hackiest' code I've written, so don't expect much:

var timepast=false;  var iframe = document.createElement("iframe");  iframe.style.cssText = "position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;"; iframe.src = "http://pix.do"; // This will work //iframe.src = "http://google.com"; // This won't work iframe.id = "theFrame";  // If more then 500ms past that means a page is loading inside the iFrame setTimeout(function() {     timepast = true; },500);  if (iframe.attachEvent){     iframe.attachEvent("onload", function(){     if(timepast) {             console.log("It's PROBABLY OK");         }         else {             console.log("It's PROBABLY NOT OK");         }     }); }  else {     iframe.onload = function(){         if(timepast) {             console.log("It's PROBABLY OK");         }         else {             console.log("It's PROBABLY NOT OK");         }     }; } document.body.appendChild(iframe); 
like image 148
Iftach Avatar answered Sep 20 '22 00:09

Iftach


Disclaimer: this answer I wrote in 2012(Chrome was version ~20 at that time) is outdated and I'll keep it here for historical purposes only. Read and use at your own risk.


Ok, this is a bit old question, but here's what I found out (it's not a complete answer) for Chrome/Chromium.

the way do detect if a frame pointing to a foreign address has loaded is simply to try to access its contentWindow or document.

here's the code I used:

element.innerHTML = '<iframe class="innerPopupIframe" width="100%" height="100%" src="'+href+'"></iframe>'; myframe = $(element).find('iframe'); 

then, later:

try {     var letstrythis = myframe.contentWindow; } catch(ex) {     alert('the frame has surely started loading'); } 

the fact is, if the X-Frame-Options forbid access, then myFrame.contentWindow will be accessible.

the problem here is what I called "then, later". I haven't figured out yet on what to rely, which event to subsribe to find when is the good time to perform the test.

like image 27
BiAiB Avatar answered Sep 21 '22 00:09

BiAiB