October 1, 2020
A considerable number of XS-Leaks rely on some of the properties of iframes. If an attacker is unable to embed the contents of a page as an
object, then the attack may no longer be possible. To mitigate XS-Leaks which rely on these objects, pages can forbid or select which origins can embed them. Doing so is possible by using the
X-Frame-Options header or the CSP frame-ancestors directive.
tipThe CSP frame-ancestors directive is the more modern way of enabling framing protections. However, it is not supported by Internet Explorer, so in many cases it is recommended to use it in conjunction with the
This protection is very effective against XS-Leaks that rely on framing and can be easily implemented without breaking the vast majority of applications. This mechanism not only protects against some XS-Leaks, but also prevents attacks like clickjacking.
Deploying framing protections is usually straightforward as many applications are not meant to be embedded cross-origin in an
iframe. Check out this web.dev article to learn more about the advantages of this header.