This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Clickjacking Defense Cheat Sheet
Javascript based solution : are they good now
Considering the fact that people can disable javascript in framed page should we be recommending Javascript based solution for Clickjacking or we should all bet for just XFO.
I can understand this (javascript based solution) could be a good option when the site can't function without javascript enabled however any site which has script enabled just for this feature can again be victimized using iframe property like sandbox="allow-forms allow-scripts"
--Anant Shrivastava (talk) 01:48, 22 June 2014 (CDT)
In the limitations, nested frames paragraph sounds confusing. Is there any mistake there?
"Nested Frames don't work with SAMEORIGIN and ALLOW-FROM In the following situation, the http://framed.invalid/child frame does not load because ALLOW-FROM applies to the top-level browsing context, not that of the immediate parent. The solution is to use ALLOW-FROM in both the parent and child frames (but this prevents the child frame loading if the //framed.invalid/parent page is loaded as the top level document)."
Grandchild frame does not use ALLOW-FROM. It uses SAMEORIGIN.
https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/