Permalink
Browse files

Merge pull request #4 from eligolding/patch-1

Added warning for lack of browser support for the ALLOW-FROM option
  • Loading branch information...
EvanHahn committed Jun 5, 2015
2 parents 7c22594 + 7d497aa commit 831159cf635e62edb17831b7e31a71c8a775e7f9
Showing with 2 additions and 0 deletions.
  1. +2 −0 README.md
View
@@ -23,3 +23,5 @@ app.use(frameguard('allow-from', 'http://example.com'));
```
**Limitations:** This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. It only prevents against a certain class of attack, but does so pretty well. It also prevents your site from being framed, which you might want for legitimate reasons.
**Warning:** The `ALLOW-FROM` header option is [not supported in most browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility). Those browsers will ignore the entire header, [and the frame *will* be displayed](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2).

0 comments on commit 831159c

Please sign in to comment.