https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=MvanhulsentopOWASP - User contributions [en]2026-04-29T19:17:36ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:Clickjacking_Defense_Cheat_Sheet&diff=232491Talk:Clickjacking Defense Cheat Sheet2017-08-22T13:39:08Z<p>Mvanhulsentop: Added question about adding a piece on frame-src</p>
<hr />
<div><br />
== Javascript based solution : are they good now ==<br />
<br />
Considering the fact that people can disable javascript in framed page should we be recommending Javascript based solution for Clickjacking or we should all bet for just XFO.<br />
<br />
I can understand this (javascript based solution) could be a good option when the site can't function without javascript enabled however any site which has script enabled just for this feature can again be victimized using iframe property like sandbox="allow-forms allow-scripts"<br />
<br />
--[[User:Anant Shrivastava|Anant Shrivastava]] ([[User talk:Anant Shrivastava|talk]]) 01:48, 22 June 2014 (CDT)<br />
<br />
== The section related to nested frames sounds confusing. ==<br />
<br />
In the limitations, nested frames paragraph sounds confusing. Is there any mistake there?<br />
<br />
"Nested Frames don't work with SAMEORIGIN and ALLOW-FROM In the following situation, the http://framed.invalid/child frame does not load because ALLOW-FROM applies to the top-level browsing context, not that of the immediate parent. The solution is to use ALLOW-FROM in both the parent and child frames (but this prevents the child frame loading if the //framed.invalid/parent page is loaded as the top level document)."<br />
<br />
Grandchild frame does not use ALLOW-FROM. It uses SAMEORIGIN. <br />
<br />
<br />
<br />
<br />
<br />
https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/<br />
<br />
== The relation between frame-src and frame-ancestors is sometimes confusing ==<br />
The relation between frame-src and frame-ancestors is sometimes confusing. Should the difference be mentioned, or is mentioning frame-src in the context of Clickjacking adding to the confusion?<br />
<br />
I'd like to add a piece where it is stated that the two directives are not the same and where it is stated that the frame-src is about nested iframes in the page in question. Therefor it is not clickjacking related. <br />
--Maarten van Hulsentop</div>Mvanhulsentop