Clickjacking Protection

From GeeklogWiki
Revision as of 09:07, 29 January 2010 by Dirk (talk | contribs) (Chrome 4 now also supports X-FRAME-OPTIONS)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

What is it?

The term Clickjacking describes a malicious technique where a user is fooled into clicking what appears to be a harmless button or link on a page, while they are actually triggering some other action (see the Wikipedia article for details).


Protection

Clickjacking depends on the use of frames. Therefore, one option to protect your website from being used in clickjacking attempts is to use a JavaScript "frame killer" script.

Another option depends on support by the web browser. The browser is looking for a HTTP header, X-FRAME-OPTIONS. When present, this header indicates that the website in question would rather not be displayed inside a frame. So if the browser then finds that that is the case, it refuses to display the page, therefore protecting the visitor from being fooled.

IE8 refusing to display a page inside a frame

The X-FRAME-OPTIONS header was introduced by Microsoft and is interpreted as of Internet Explorer 8. At the time of this writing, Safari 4 and Chrome 4 were the only other released browsers to also respect this header. Other browsers will surely follow soon.


Configuration

Clickjacking protection using the X-FRAME-OPTIONS is enabled by default in Geeklog. You will find the option in the Configuration Admin panel under

Configuration > Geeklog > Miscellaneous > Miscellaneous > Protection against "clickjacking"

There are 3 options:

  • Strict (default) will not allow any framing
  • Same Origin will allow pages on the same domain to frame pages, but will not allow framing by other sites
  • (disabled) will disable clickjacking protection.

We strongly advise not to disable this option.