Framing Isolation Policy
November 30, 2020
Framing Isolation Policy is a stricter version of Framing Protections where the request gets blocked at the application level rather than by the browser. This is designed to protect against various attacks (e.g. XSSI, CSRF, XS-Leaks) by blocking framing requests to endpoints that are not intended to be framable.
It can be combined with Resource Isolation Policy to effectively tighten the attack surface within cross-site information leaks.
tipInstead of rejecting all non-framable endpoints, the user could be prompted to confirm the action, e.g. Confirm that you visited this page from a trusted origin, to mitigate the risk of attacks in the background, and, at the same time, help prevent unintended breakages of an application.
tipWhen deployed together with Resource Isolation Policy, Framing Isolation Policy does not protect against leaks utilizing window references (e.g.
window.length), so other navigational protections such as COOP or Navigation Isolation Policy can be helpful.
Implementation with Fetch Metadata #
The below snippet showcases an example implemention of the Framing Isolation Policy by an application:
# Reject cross-site requests to protect from CSRF, XSSI, XS-Leaks, and other bugs def allow_request(req): # Allow requests from browsers which don't send Fetch Metadata if not req['headers']['sec-fetch-site']: return True if not req['headers']['sec-fetch-mode']: return True if not req['headers']['sec-fetch-dest']: return True # Allow non-navigational requests if req['headers']['sec-fetch-mode'] not in ('navigate', 'nested-navigate'): return True # Allow requests not originated from embeddable elements if req['headers']['sec-fetch-dest'] not in ('frame', 'iframe', 'embed', 'object'): return True # [OPTIONAL] Exempt paths/endpoints meant to be served cross-site. if req.path in ('/my_frame_ancestors_host_src'): return True # Reject all other requests return False
Framing Isolation Policy cannot be applied if an endpoint allows framing requests from specific origins via
X-Frame-Options and/or Content Security Policy’s