[OWASP-cheat-sheets] Clickjacking Defense CS: legacy vs CSP

Dominique Righetto dominique.righetto at owasp.org
Fri Apr 13 04:41:17 UTC 2018


Hi,

For older browsers (only IE11 is supported about security updates so it's
recommanded to upgrade), one idea is to mimic the behavior of the SRI using
client JS hashing code but honnestly it's acceptable to request a "recent"
browser like IE>= 11 or recent version of FF,Chrome,Safari in order to
benefits from SRI, X-Frame-Optiosn or full CSP moreover in the context of
using feature like OAuth.

Dom

--
Cordialement, Best regards,
Dominique Righetto
dominique.righetto at gmail.com
<dominique.righetto at gmail.com>dominique.righetto at owasp.org
<dominique.righetto at gmail.com>
https://righettod.eu
GPG: 323D19BA

On Thu, Apr 12, 2018 at 11:13 PM, Alex Efros <powerman at powerman.name> wrote:

> Hi!
>
> Looks like recommended clickjacking protection for legacy browsers[1]
> require switching off much more powerful protection against XSS:
>
>     Content-Security-Policy: default-src 'unsafe-inline';
>
> I'm developing OAuth server and really need best clickjacking protection,
> but I'm afraid this trade-off is too disadvantageous.
>
> Maybe it's possible to somehow move recommended CSS and JS snippets to
> separate files? I'm not really sure, but I suppose they are recommended to
> keep in <head> for a reason, because with external files there is always a
> chance they won't be (timely, at least) loaded for some reason.
>
> Another option is to keep CSS/JS inline, but use 'nonce-*' or 'sha256-*'
> instead of 'unsafe-inline' - but as these features of CSP2 I'm not sure is
> this combination will works in all cases (legacy browser without CSP,
> usual browser with CSP1, modern browser with CSP2).
>
> So, how to get best clickjacking protection without relaxing CSP too much?
>
> [1]: https://www.owasp.org/index.php/Clickjacking_Defense_
> Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script
>
> --
>                         WBR, Alex.
> _______________________________________________
> OWASP-cheat-sheets mailing list
> OWASP-cheat-sheets at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20180413/8b698541/attachment.html>


More information about the OWASP-cheat-sheets mailing list