Reevaluate rule for X-Frame-Options vs. Content Security Policy (CSP)
215 views
Skip to first unread message
TeeWeTee
Jan 26, 2021, 5:45:52 AM1/26/21
to OWASP ZAP User Group
I have a web app which allows to be embedded by certain domains as specified in its CSP headers. I did a scan with ZAP and it reported several instances of
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
However the reference says:
"There are two possible directives for X-Frame-Options:"
- X-Frame-Options: DENY
- X-Frame-Options: SAMEORIGIN
This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.
Also the OWASP cheatsheed states something similar.
So I think that this rule should be reevaluated.
Or at least it should not be reported when a CSP is correctly specified.
(And the documentation should be adapted to make it less ambiguous?)
What are the views of the community to this?
kingthorin+owaspzap
Jan 27, 2021, 12:08:41 PM1/27/21
to OWASP ZAP User Group
I agree the ALLOW-FROM details need revision.
The rule does take frame-ancestors into account https://github.com/zaproxy/zap-extensions/blob/4bfa869722eb071993dd678991d8492bacbac514/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XFrameOptionScanRule.java#L76-L87
kingthorin+owaspzap
Jan 29, 2021, 1:01:47 PM1/29/21
to OWASP ZAP User Group
The ALLOW-FROM changes were included in today's release of v33 of the Passive Scan Rules add-on.
TeeWeTee
Feb 1, 2021, 3:21:31 AM2/1/21
to OWASP ZAP User Group
I looked at the changes and it's looking good! Appreciated, thanks!
Reply all
Reply to author
Forward
0 new messages