[Owasp-leaders] Clickjacking Cheat Sheet

Colin Watson colin.watson at owasp.org
Fri Nov 30 17:45:45 UTC 2012


Jim

Yes I see legacy-only means more-recent browsers should enforce XFO.
But does the JS really have to be in the HEAD element inline, or could
it be written in dynamically, or added as a link to an external file.
I am just asking to make sure.

I also seem to remember a weirdness in an old version of IE about
having to duplicate some code at the end of the page too. But I can't
quite remember what that was about.

Colin

On 30 November 2012 12:45, William Stranathan <will at thestranathans.com> wrote:
> Jim:
>
> And therein lies the rub. Disabling inline script is the first and best
> defense CSP provides for a whole slew of other mechanisms. This means that
> to properly defend against clickjacking on legacy and new browsers and get
> the (massive) benefits of CSP, we have to do UserAgent string parsing on the
> server side. And since you don't know every UA you can get, which side do
> you err on? I suppose in those cases, you could err on the side of using
> inline Javascript to bust it and use Content-Security-Policy-Report-Only to
> get a more accurate listing of UA's you'd be missing - you'd have to do a
> correlation of successful request UA strings and compare that to the CSP
> violation report. Any successful UA's in the normal GET logs that don't show
> up in the CSP violation report are the ones that don't support CSP (or have
> disabled CSP report back).
>
> w
>
>
> On Thu, Nov 29, 2012 at 9:36 PM, <owasp-leaders-request at lists.owasp.org>
> wrote:
>>
>> Also, for legacy browser clickjacking support, you NEED a method that
>> has inline JavaScript in the <HEAD> for legacy browsers (the purposes of
>> manual JS clickjacking defense) to prevent the page from being
>> Clickjacked while the JS is being loaded.
>
>
>
>
> --
> -- coleslaw
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list