You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-51

Mozilla Foundation Security Advisory 2012-51

Title: X-Frame-Options header ignored when duplicated
Impact: Moderate
Announced: July 17, 2012
Reporter: Frédéric Buclin
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 14
  Firefox ESR 10.0.6
  Thunderbird 14
  Thunderbird ESR 10.0.6
  SeaMonkey 2.11

Description

Bugzilla developer Frédéric Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages

References