WordPress.org

Make WordPress Core

Opened 18 months ago

Last modified 18 months ago

#47440 new enhancement

add_header X-Frame-Options

Reported by: sudoranger Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2.1
Component: Security Keywords: 2nd-opinion close
Focuses: Cc:

Description

Hello.

Today, I came across an issue. I'm using Nginx webserver and this on my configuration.

add_header X-Frame-Options DENY;

This is the recommended setting to secure Nginx for click hijacking. More information can be found here https://www.keycdn.com/blog/x-frame-options

There are three settings for X-Frame-Options:

SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
DENY: This setting will prevent a page displaying in a frame or iframe.
ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

For your information, WordPress themes and plugins page:

  1. Appearance > Themes > Add New
  2. Plugins > Add New

are currently using frames to pull the information from wordpress.org so this will end up showing "Connection Refused" unless I changed the setting to add_header X-Frame-Options SAMEORIGIN;

I would like to request WordPress team to change this behavior to use other methods than frame to show this "external" web site in the administration page. This is a very bad experience in terms of UX and security-design unless you can convince me otherwise that denying x-frame-options isn't a big deal. In my normal nginx setup, I usually use DENY to improve my unwanted experience to the end users from malicious scripts.

Thank you.

Change History (1)

#1 @dd32
18 months ago

  • Keywords 2nd-opinion close added; needs-design-feedback removed

Iframes have valid use-cases, and as a result using X-Frame-Options: SAMEORIGIN when it's expected an application is using them isn't going to severely reduce security.

Using X-Frame-Options: DENY I believe will also block the WordPress page embeds (ie. embedding your blog post preview onto another WordPress site).

Additionally, WordPress already sends a X-Frame-Options: SAMEORIGIN header for Login/Admin requests - #12293

Note: See TracTickets for help on using tickets.