What is it?
The term Clickjacking describes a malicious technique where a user is fooled into clicking what appears to be a harmless button or link on a page, while they are actually triggering some other action (see the Wikipedia article for details).
Another option depends on support by the web browser. The browser is looking for a HTTP header, X-FRAME-OPTIONS. When present, this header indicates that the website in question would rather not be displayed inside a frame. So if the browser then finds that that is the case, it refuses to display the page, therefore protecting the visitor from being fooled.
The X-FRAME-OPTIONS header was introduced by Microsoft and is interpreted as of Internet Explorer 8. At the time of this writing, Safari 4 and Chrome 4 were the only other released browsers to also respect this header. Other browsers will surely follow soon.
Clickjacking protection using the X-FRAME-OPTIONS is enabled by default in Geeklog. You will find the option in the Configuration Admin panel under
- Configuration > Geeklog > Miscellaneous > Miscellaneous > Protection against "clickjacking"
There are 3 options:
- Strict (default) will not allow any framing
- Same Origin will allow pages on the same domain to frame pages, but will not allow framing by other sites
- (disabled) will disable clickjacking protection.
We strongly advise not to disable this option.