Keep Your X-Frame-Options header a little while longer

So Mozilla has decided to deprecate the X-Frame-Options header to avoid clickjacking or UI redressing attacks (have a look in the page history, the first version used a much stronger language). This header was never standardized (as the leading X indicates), but is supported in all browsers (yes, in ALL browsers, with the exception of the special ALLOW-FROM value). The X-Frame-Options replacement is Content Security Policy Level 2 (CSP) with its frame-ancestors directive. I’m all for reducing the huge amount of headers and using CSP instead. Even though a CSP for a normal web application might already be extensive.

There is one huge problem though: browser support. While most modern browsers support CSP level 1 (where there is no frame-ancestors directive) – Internet Explorer supports at least a subset – only Firefox supports the frame-ancestors directive. Give it a try, I’ve updated my security-headers web application you can clone from GitHub. This of course leads to the situation that we developers have to return both headers at the same time, X-Frame-Options and CSP with frame-ancestors directive. And the browser shouldn’t have any problem with that. Older browsers ignore the CSP, newer browsers should ignore X-Frame-Options if frame-ancestors is present. Doesn’t sound like a lot of fun for both parties, does it? But that’s the way it is. We simply cannot afford replacing X-Frame-Options header with CSP right now and leaving most web users unprotected. Especially corporate environments with older browsers (even older Firefox versions do not support CSP Level 2) this will be the situation for quite a while. In the end, CSP will win, and it’s a win we all will benefit from. Just be patient, there is no need to hurry removing old headers right away.