Skip to content

fix(x-frame-options): ALLOW-FROM should score 0, not 8 — no current browser honors it#107

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/nice-mendel-bbjnva
Open

fix(x-frame-options): ALLOW-FROM should score 0, not 8 — no current browser honors it#107
dmchaledev wants to merge 1 commit into
mainfrom
claude/nice-mendel-bbjnva

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

checkXFrameOptions in src/rules.ts gave X-Frame-Options: ALLOW-FROM <url> a score of 8/15 with status warning — the same generic score used for any unrecognized value. But ALLOW-FROM isn't merely a weaker directive: it's been removed from every current browser engine (Chrome, Firefox, Safari, Edge) for years. A browser encountering it simply ignores the header, so a response with only X-Frame-Options: ALLOW-FROM https://trusted.example is exactly as embeddable/clickjackable in production as a response with no X-Frame-Options header at all — yet the tool credited it with more than half marks and a reassuring "warning" (rather than effectively "missing") status.

This is a real accuracy gap in the tool's core grading promise, and ALLOW-FROM is a common copy-paste leftover from older IE-era security guidance, so it's not just a theoretical edge case.

Confirmed via the repo's own open-issue/PR history that this isn't a duplicate of anything already filed or in flight — the existing coverage in this area (frame-ancestors */bare-scheme handling) addresses a different code path and was already fixed.

Changes

  • src/rules.ts (checkXFrameOptions): ALLOW-FROM (case-insensitive) now scores 0/15 with a finding explaining that it's ignored by all current browsers, distinct from other unrecognized values which keep the existing 8/15 (genuinely ambiguous/unknown input, not a known-defunct directive).
  • test/analyzer.test.ts: updated the test that previously locked in ALLOW-FROM → score 8 (now asserts score 0 + the new finding text), added a case-insensitivity check, and added a separate test to confirm other unrecognized values are unaffected (still 8/15).

Test plan

  • npm run typecheck passes
  • npm test — 87/87 tests pass (was 85; added 2)
  • Verified no other test/doc references the old ALLOW-FROM → 8 behavior (grep -rn "ALLOW-FROM" across the repo only touches the two files changed here)

Generated by Claude Code

…ore it

X-Frame-Options: ALLOW-FROM is non-standard and has been stripped from
every current browser engine (Chrome, Firefox, Safari, Edge) — the
header value is silently ignored, not honored, so it provides exactly
the same (zero) clickjacking protection as no header at all. The
previous scoring gave it 8/15 alongside genuinely ambiguous/unknown
values, materially overstating real protection for anyone shipping
ALLOW-FROM today (a common copy-paste from outdated IE-era guidance).

Distinguish ALLOW-FROM (score 0, with a finding explaining why) from
other unrecognized values (unchanged at 8/15).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants