I'd like to protect against clickjacking using the X-Frame-Options header, but we occasionally frame secure content on the insecure version of our site1:
Since it looks like only Firefox currently supports the ALLOW-FROM form of the header, I'm considering conditionally serving the header:
- By default, include X-Frame-Options.
- If your referrer is
^(.*\.)?example.com$, leave the header out.
It seems like this would work, and it fails safe: if someone's browser doesn't send a referrer or a corporate firewall strips it out, they don't get to pay us (which is bad), but our content can never be framed on third-party sites (which would be worse).
How would this strategy work in the real world?
1 Some of our ad partners historically haven't supported serving ads over HTTPS. We're investigating whether this has changed.
Aucun commentaire:
Enregistrer un commentaire