[OWASP-cheat-sheets] Clickjacking Defense CS: legacy vs CSP

Alex Efros powerman at powerman.name
Thu Apr 12 21:13:16 UTC 2018


Looks like recommended clickjacking protection for legacy browsers[1]
require switching off much more powerful protection against XSS:

    Content-Security-Policy: default-src 'unsafe-inline';

I'm developing OAuth server and really need best clickjacking protection,
but I'm afraid this trade-off is too disadvantageous.

Maybe it's possible to somehow move recommended CSS and JS snippets to
separate files? I'm not really sure, but I suppose they are recommended to
keep in <head> for a reason, because with external files there is always a
chance they won't be (timely, at least) loaded for some reason.

Another option is to keep CSS/JS inline, but use 'nonce-*' or 'sha256-*'
instead of 'unsafe-inline' - but as these features of CSP2 I'm not sure is
this combination will works in all cases (legacy browser without CSP,
usual browser with CSP1, modern browser with CSP2).

So, how to get best clickjacking protection without relaxing CSP too much?

[1]: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script

			WBR, Alex.

More information about the OWASP-cheat-sheets mailing list