Cross-Frame Scripting ( 11293 )

This error occurred when we used WebInspect(21.1.0) scan.

We have tried two methods, but still cannot fix it, is this a false alarm?

1.We added the request header X-Frame-Options  and set DENY.

2.We added the request header X-Frame-Options: SAMEORIGIN  and content-security-policy: frame-ancestors 'self'.


  • WebInspect flags in three cases:

    1. Response does not have X-Frame-Options header with either Deny or SAMEORIGIN value.
    2. Response does not have Content-Security-Policy with frame-ancestors attribute set. Attribute with value * or allowing scheme level access (e.g. http , https, data etc would result in flagging the vulnerability)
    3. Response does not have frame-busting logic present

    In some instances, WI isn't always able to detect #3 because the logic to do so relies on script execution. This script execution is run in a sandbox as we know what we are doing will break the browser state. XFS detection relies on a response from the script server. If it does not receive a response it will flag. Unfortunately, this has been known to cause some false positives.

  • Thank you, but after I add the script, the site will no longer allow iframe windows.

  • Thank you, but after I add the script, the site will no longer allow the iframe window?

  • It should not prevent the page from loading an iFrame, but prevent the page from being included in an iFrame.

    A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.