This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Clickjacking Defense Cheat Sheet

Jump to: navigation, search

Javascript based solution : are they good now

Considering the fact that people can disable javascript in framed page should we be recommending Javascript based solution for Clickjacking or we should all bet for just XFO.

I can understand this (javascript based solution) could be a good option when the site can't function without javascript enabled however any site which has script enabled just for this feature can again be victimized using iframe property like sandbox="allow-forms allow-scripts"

--Anant Shrivastava (talk) 01:48, 22 June 2014 (CDT)

The section related to nested frames sounds confusing.

In the limitations, nested frames paragraph sounds confusing. Is there any mistake there?

"Nested Frames don't work with SAMEORIGIN and ALLOW-FROM In the following situation, the http://framed.invalid/child frame does not load because ALLOW-FROM applies to the top-level browsing context, not that of the immediate parent. The solution is to use ALLOW-FROM in both the parent and child frames (but this prevents the child frame loading if the //framed.invalid/parent page is loaded as the top level document)."

Grandchild frame does not use ALLOW-FROM. It uses SAMEORIGIN.

The relation between frame-src and frame-ancestors is sometimes confusing

The relation between frame-src and frame-ancestors is sometimes confusing. Should the difference be mentioned, or is mentioning frame-src in the context of Clickjacking adding to the confusion?

I'd like to add a piece where it is stated that the two directives are not the same and where it is stated that the frame-src is about nested iframes in the page in question. Therefor it is not clickjacking related. --Maarten van Hulsentop