X-Frames-Options in the meta tag

Simen_257 picture Simen_257 · May 7, 2015 · Viewed 16.9k times · Source

I've created an test application where i look into the different defense techniques against Clickjacking and other UI redressing attacks. One of the most used techniques is the X-Frames-Options along the Frame-Busting code. What i fail to understand is the reason why the following isn't recommended, and according to OWASP: (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet) doesn't work (Even though it works in my test applciation, i can't frame the page if the following is included)

 <meta http-equiv="X-Frame-Options" content="deny">

Any explanation or link to an answer would be greatly appreciated.

Apparently this is because the META tag might not be received until information has already rendered in the subframe. This still works in browser such as Chrome and Firefox, but is ignored by IE.

Answer

smnbbrv picture smnbbrv · May 7, 2015

According to many resources (not only your URL, but also e.g. this one) the <meta> tag should be ignored.

If your browser does not do so, that does not mean that all browsers don't do that as well. So to be on a safe side you must specify the HTTP header.

The question why so? Probably one of the reasons is the same why they tell to avoid using the following:

<meta name="robots" content="noindex" />

The reason, in my opinion, is that to get this meta tag you need to download and parse the whole page. To read the HTTP header you don't need to do so.

In this case HTTP header is just more efficient way to speed up the browser, so that could be the reason of forcing you to kill the meta tags.