https://wiki.owasp.org/index.php?action=history&feed=atom&title=CRV2_ClientSideCodeJackingFramingCRV2 ClientSideCodeJackingFraming - Revision history2026-04-27T10:48:41ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=CRV2_ClientSideCodeJackingFraming&diff=179853&oldid=prevLarry Conklin at 15:15, 3 August 20142014-08-03T15:15:08Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:15, 3 August 2014</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l24" >Line 24:</td>
<td colspan="2" class="diff-lineno">Line 24:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>     else { top.location = self.location; }  </div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>     else { top.location = self.location; }  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>     </script></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>     </script></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">To avoid click jacking or Cross Site Request Forgery of the website, look for implementation of X-Frame-Options .Keep in mind that this code might not work on legacy browsers. The website http://erlend.oftedal.no/blog/tools/xframeoptions/ does a compatibility test on the browser’s x-frame-options support.</ins></div></td></tr>
</table>Larry Conklinhttps://wiki.owasp.org/index.php?title=CRV2_ClientSideCodeJackingFraming&diff=159655&oldid=prevEoinKeary: Created page with "In order to help prevent clickjacking or UI redress attacks one of the following headers should be in all HTTP response headers. '''X-Frame-Options HTTP Response Header''' /..."2013-10-03T14:39:24Z<p>Created page with "In order to help prevent clickjacking or UI redress attacks one of the following headers should be in all HTTP response headers. '''X-Frame-Options HTTP Response Header''' /..."</p>
<p><b>New page</b></p><div>In order to help prevent clickjacking or UI redress attacks one of the following headers should be in all HTTP response headers.<br />
<br />
'''X-Frame-Options HTTP Response Header'''<br />
<br />
// to prevent all framing of this content <br />
'''response.addHeader( "X-FRAME-OPTIONS", "DENY" );''' <br />
<br />
// to allow framing of this content only by this site <br />
'''response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );''' <br />
<br />
// to allow framing from a specific domain <br />
'''response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );'''<br />
<br />
Older browsers dont usderstand the above headers.<br />
In order to help prevent regress attacks we may see the following code on the client side files.<br />
<br />
'''Legacy Browser Clickjacking Defense'''<br />
<style id="antiCJ">body{display:none !important;}</style> <br />
<script type="text/javascript"> <br />
if (self === top) <br />
{ var antiClickjack = document.getElementByID("antiCJ"); <br />
antiClickjack.parentNode.removeChild(antiClickjack) <br />
} <br />
else { top.location = self.location; } <br />
</script></div>EoinKeary