X-Frame-Options (XFO) header cannot be recognized

[sarukuku]

I tested jsq.bondsrv.com by running httpobs jsq.bondsrv.com and get among other messages the note that X-Frame-Options (XFO) header cannot be recognized. If I check the server response with f.ex. Chrome developer tools I can see that the headers include X-Frame-Options twice:

X-Frame-Options:SAMEORIGIN
X-Frame-Options:SAMEORIGIN

In the tool source you mention that having this header multiple times is common and I agree. It's set onece by nginx for all sites and in this case a second time by WordPress.

I'm wondering why the test fails in my case?

[april]

Yep, the HTTP Observatory is actually correct in this case: you're being failed because your sending it twice. The browser will parse it as SAMEORIGIN, SAMEORIGIN, and behavior will vary widely. For example, I believe in Firefox, it will get ignored entirely. Chrome I think chooses the most strict option -- it's kind of a mess. Sending it once is where you want to be.

I would generally recommend using the CSP's frame-ancestors 'self' instead, as XFO will eventually be deprecated. Plus, you'll get a bonus on your score. :)

[floatingatoll]

What negative penalty is assigned for duplicate headers in this situation?

[april]

It's the same penalty as it not being implemented at all, in this case, -20.

[sarukuku]

@marumari thanks for clarifying. Quite bad behavior from browsers. If I were a browser I'd probably use the strictest option provided. 😛

[april]

Yeah, I totally agree, but that's why I alert about it. :)

[sarukuku]

Good good! Do you know if there are bug tickets open for different browsers for this behavior?

[april]

Not that I know of. XFO is hardly a specification, and I believe they're behaving correctly according to HTTP. In any case, XFO is going away reasonably soon anyways -- you can get the same behaviour with CSP, so I wouldn't be surprised to see it go away over the next few years.