Firefox 3.6.9 Security Update: X-FRAME-OPTIONS Defense Against Clickjacking

Firefox 3.6.9 now supports the X-FRAME-OPTIONS header, which enables web servers to forbid clients from opening downloaded pages in iframes. Clickjacking involves an attacker website inserting a transparent iframe containing, for example, Facebook content under the cursor. Users think they are clicking on the visible web page, but are in fact clicking on elements in the transparent Facebook iframe. Earlier this year, hundreds of thousands of Facebook users fell victim to a clickjacking attack after unwittingly clicking on a concealed 'Like' button on a crafted web page. The new option would allow Facebook to prevent attackers from loading content in an iframe in Firefox. Despite the fact that Internet Explorer 8 and Chrome already support this option, Facebook is not using it.

The link for this article located at H Security is no longer available.