Document Action: 'HTTP Header Field X-Frame-Options' to Informational RFC (draft-ietf-websec-x-frame-options-12.txt)

The IESG <> Wed, 28 August 2013 13:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3E2DE11E818A; Wed, 28 Aug 2013 06:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.489
X-Spam-Status: No, score=-102.489 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zg5eEo+akYSG; Wed, 28 Aug 2013 06:11:43 -0700 (PDT)
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 8CD0011E81B0; Wed, 28 Aug 2013 06:11:42 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <>
To: IETF-Announce <>
Subject: Document Action: 'HTTP Header Field X-Frame-Options' to Informational RFC (draft-ietf-websec-x-frame-options-12.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 4.70.p1
Message-ID: <>
Date: Wed, 28 Aug 2013 06:11:42 -0700
Cc: websec mailing list <>, websec chair <>, RFC Editor <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Aug 2013 13:11:44 -0000

The IESG has approved the following document:
- 'HTTP Header Field X-Frame-Options'
  (draft-ietf-websec-x-frame-options-12.txt) as Informational RFC

This document is the product of the Web Security Working Group.

The IESG contact persons are Barry Leiba and Pete Resnick.

A URL of this Internet Draft is:

Technical Summary

This informational document serves to document the existing use and 
specification of the X-Frame-Options HTTP response header field.

To improve the protection of web applications against Clickjacking,
this definition describes the X-Frame-Options HTTP response header
field that declares a policy communicated from the server to the
client browser on whether the browser may display the transmitted
content in frames that are part of other web pages.

Review and Consensus

In 2009 and 2010 many browser vendors introduced the use of a non-
standard HTTP header field "X-Frame-Options" to protect against 
Clickjacking. There have been differences between the various 
implementations which may cause security and interoperability 
concerns. This draft has been produced as informational by the websec 
working group to document the current use and also to function as a 
baseline for the future unified standard as part of the currently 
produced Content Security Policy 1.1 (by WebAppSec at the W3C) - and 
to get rid of the deprecated "X-" (see RFC6648). 

The review process took sufficient time and involved a medium amount 
of people with deep browser security knowledge. During the review 
process no major controversies came up, which is not too surprising 
as the draft is intended as informational and documenting.


Yoav Nir is the Document Shepherd. Barry Leiba is the Responsible 
Area Director.