Frame Busting in the Admin

[ryan]

We discussed this before when Twitter was suffering from the iframe clickjacking attacks. Such attacks are harder and less tempting to do on individual WP sites than on big sites like Twitter and wp.com. They are still possible though, so we should consider integrating frame busting. The problem is that frame busting does break some plugins. Plugins would need API to turn of frame busting for their pages and would have to update to use that API.

If a plugin turned it off for a few pages, wouldn't those pages be vulnerable to clickjacking?

We have to turn if off for our uploader too. Maybe someone knows a way of adding secure exceptions.

Simple example that adds an exception for the upload iframe.

That's the classic technique. Maybe one of the billion new flavors of frame busting would smoothly handle plugins and the uploader.

Maybe start sending X-FRAME-OPTIONS

Food for thought: I use this on all of my websites. I can tell you from experience that almost every search engine except for Google is incompatible with frame busting. It's even money that any particular search engine will either block the site entirely, or will cover the search results with a message that says, "clicking here will cause you to leave the search engine (whine) please open the link in a new window."

Of course, I ignore all of them because everyone uses Google anyway. :P

This is only for the admin, so I think we're good.

oh.. aah. Excellent, then.

Hopefully wp-login too.

To address the uploader and any plugins with iframes, how about we not frame bust if there's a valid nonce in the query string?

With IFRAME_REQUEST this could be done easier. Also mda's comment about valid nonce checks.

The big three browsers now support this. Let's hit this in 3.2.

In [17826]:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

In [18013]:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293