This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 ClientSideCodeJackingFraming

From OWASP

Revision as of 14:39, 3 October 2013 by EoinKeary (talk | contribs) (Created page with "In order to help prevent clickjacking or UI redress attacks one of the following headers should be in all HTTP response headers. '''X-Frame-Options HTTP Response Header''' /...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

In order to help prevent clickjacking or UI redress attacks one of the following headers should be in all HTTP response headers.

X-Frame-Options HTTP Response Header

// to prevent all framing of this content response.addHeader( "X-FRAME-OPTIONS", "DENY" );

// to allow framing of this content only by this site response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

// to allow framing from a specific domain response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );

Older browsers dont usderstand the above headers. In order to help prevent regress attacks we may see the following code on the client side files.

   Legacy Browser Clickjacking Defense
   <style id="antiCJ">body{display:none !important;}</style> 
   <script type="text/javascript"> 
   if (self === top) 
   { var antiClickjack = document.getElementByID("antiCJ"); 
   antiClickjack.parentNode.removeChild(antiClickjack) 
   } 
   else { top.location = self.location; } 
   </script>

Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_ClientSideCodeJackingFraming&oldid=159655"