X-Frame-Options Defined via META (Non-compliant with Spec)

Docs > Alerts

Details
Alert ID	10020-3
Alert Type	Passive
Status	release
Risk	Medium
CWE	1021
WASC	15
Technologies Targeted	All
Tags	CWE-1021 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-CLNT-09
More Info	Scan Rule Help

Summary

An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).

Solution

Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

Other Info

References

https://tools.ietf.org/html/rfc7034#section-4

Code

org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java