Make WordPress Core

Opened 5 years ago

Closed 5 months ago

#47440 closed enhancement (wontfix)

add_header X-Frame-Options

Reported by: sudoranger's profile sudoranger Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.2.1
Component: Security Keywords: 2nd-opinion close
Focuses: Cc:

Description

Hello.

Today, I came across an issue. I'm using Nginx webserver and this on my configuration.

add_header X-Frame-Options DENY;

This is the recommended setting to secure Nginx for click hijacking. More information can be found here https://www.keycdn.com/blog/x-frame-options

There are three settings for X-Frame-Options:

SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
DENY: This setting will prevent a page displaying in a frame or iframe.
ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

For your information, WordPress themes and plugins page:

  1. Appearance > Themes > Add New
  2. Plugins > Add New

are currently using frames to pull the information from wordpress.org so this will end up showing "Connection Refused" unless I changed the setting to add_header X-Frame-Options SAMEORIGIN;

I would like to request WordPress team to change this behavior to use other methods than frame to show this "external" web site in the administration page. This is a very bad experience in terms of UX and security-design unless you can convince me otherwise that denying x-frame-options isn't a big deal. In my normal nginx setup, I usually use DENY to improve my unwanted experience to the end users from malicious scripts.

Thank you.

Change History (2)

#1 @dd32
5 years ago

  • Keywords 2nd-opinion close added; needs-design-feedback removed

Iframes have valid use-cases, and as a result using X-Frame-Options: SAMEORIGIN when it's expected an application is using them isn't going to severely reduce security.

Using X-Frame-Options: DENY I believe will also block the WordPress page embeds (ie. embedding your blog post preview onto another WordPress site).

Additionally, WordPress already sends a X-Frame-Options: SAMEORIGIN header for Login/Admin requests - #12293

#2 @hellofromTonya
5 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hello and thank you @sudoranger for your suggestion.

Dion provided a solid explanation as to why Core uses SAMEORIGIN. With no additional follow-up, I'll close this ticket as wontfix.

However, if today there are valid reasonings for the majority users, please consider reopening and sharing.

Note: See TracTickets for help on using tickets.