错误响应中的X-Frame-Options标头 [英] X-Frame-Options header on error response

问题描述

我发现了一个有趣的错误报告与X-Frame-Options标题相关。但我不明白这可能是什么安全问题。

I found an interesting bug report related to X-Frame-Options header. But I dont understand how this can be security problem.

以下代码作为漏洞证据：

Following code is given as proof of vulnerability:

require 'net/http'  
require 'uri'  
uri = URI.parse("https://play.google.com/#{"a" * 10000}")  
@r = Net::HTTP.get_response uri  
ret = @r.each_header {|x| puts x}  
if ret["x-frame-options"]  
  puts ret["x-frame-options"]  
else  
  puts "Missing x-frame-options!"  
end 

但它正在尝试访问无效的网址（ https://play.google.com/aaaaaaaaa .. 。）并返回错误页面。在响应中，缺少x-frame-options标头。我不明白这可能是一个安全漏洞（因为它是一个无效页面及其错误响应）？如何将其用于点击劫持？为什么重要的是错误响应也应该设置此标头？

But it is trying to access an invalid URL (https://play.google.com/aaaaaaaaa...) and returns an error page. In the response, x-frame-options header is missing. I don't understand how this can be a security vulnerability (since it is a invalid page and its a error response)? How this can be used for clickjacking? Why is it important for the error response also should have this header set?

推荐答案

您可以将以下行添加到.htaccess

You can add following line to .htaccess

Header always unset X-Frame-Options

这篇关于错误响应中的X-Frame-Options标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！