[Owasp-leaders] Clickjacking Cheat Sheet

William Stranathan will at thestranathans.com
Fri Nov 30 12:45:36 UTC 2012


And therein lies the rub. Disabling inline script is the first and best
defense CSP provides for a whole slew of other mechanisms. This means that
to properly defend against clickjacking on legacy and new browsers and get
the (massive) benefits of CSP, we have to do UserAgent string parsing on
the server side. And since you don't know every UA you can get, which side
do you err on? I suppose in those cases, you could err on the side of using
inline Javascript to bust it and use Content-Security-Policy-Report-Only to
get a more accurate listing of UA's you'd be missing - you'd have to do a
correlation of successful request UA strings and compare that to the CSP
violation report. Any successful UA's in the normal GET logs that don't
show up in the CSP violation report are the ones that don't support CSP (or
have disabled CSP report back).


On Thu, Nov 29, 2012 at 9:36 PM, <owasp-leaders-request at lists.owasp.org>wrote:

> Also, for legacy browser clickjacking support, you NEED a method that
> has inline JavaScript in the <HEAD> for legacy browsers (the purposes of
> manual JS clickjacking defense) to prevent the page from being
> Clickjacked while the JS is being loaded.

-- coleslaw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121130/1c147632/attachment.html>

More information about the OWASP-Leaders mailing list