Opened 6 years ago
Closed 13 months ago
#47440 closed enhancement (wontfix)
add_header X-Frame-Options
Reported by: | sudoranger | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.2.1 |
Component: | Security | Keywords: | 2nd-opinion close |
Focuses: | Cc: |
Description
Hello.
Today, I came across an issue. I'm using Nginx webserver and this on my configuration.
add_header X-Frame-Options DENY;
This is the recommended setting to secure Nginx for click hijacking. More information can be found here https://www.keycdn.com/blog/x-frame-options
There are three settings for X-Frame-Options:
SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
DENY: This setting will prevent a page displaying in a frame or iframe.
ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.
For your information, WordPress themes and plugins page:
- Appearance > Themes > Add New
- Plugins > Add New
are currently using frames to pull the information from wordpress.org so this will end up showing "Connection Refused" unless I changed the setting to add_header X-Frame-Options SAMEORIGIN;
I would like to request WordPress team to change this behavior to use other methods than frame to show this "external" web site in the administration page. This is a very bad experience in terms of UX and security-design unless you can convince me otherwise that denying x-frame-options isn't a big deal. In my normal nginx setup, I usually use DENY to improve my unwanted experience to the end users from malicious scripts.
Thank you.
Change History (2)
#2
@
13 months ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Hello and thank you @sudoranger for your suggestion.
Dion provided a solid explanation as to why Core uses SAMEORIGIN
. With no additional follow-up, I'll close this ticket as wontfix
.
However, if today there are valid reasonings for the majority users, please consider reopening and sharing.
Iframes have valid use-cases, and as a result using
X-Frame-Options: SAMEORIGIN
when it's expected an application is using them isn't going to severely reduce security.Using
X-Frame-Options: DENY
I believe will also block the WordPress page embeds (ie. embedding your blog post preview onto another WordPress site).Additionally, WordPress already sends a
X-Frame-Options: SAMEORIGIN
header for Login/Admin requests - #12293