[Owasp-leaders] Clickjacking Cheat Sheet
colin.watson at owasp.org
Fri Nov 30 17:45:45 UTC 2012
Yes I see legacy-only means more-recent browsers should enforce XFO.
But does the JS really have to be in the HEAD element inline, or could
it be written in dynamically, or added as a link to an external file.
I am just asking to make sure.
I also seem to remember a weirdness in an old version of IE about
having to duplicate some code at the end of the page too. But I can't
quite remember what that was about.
On 30 November 2012 12:45, William Stranathan <will at thestranathans.com> wrote:
> And therein lies the rub. Disabling inline script is the first and best
> defense CSP provides for a whole slew of other mechanisms. This means that
> to properly defend against clickjacking on legacy and new browsers and get
> the (massive) benefits of CSP, we have to do UserAgent string parsing on the
> server side. And since you don't know every UA you can get, which side do
> you err on? I suppose in those cases, you could err on the side of using
> get a more accurate listing of UA's you'd be missing - you'd have to do a
> correlation of successful request UA strings and compare that to the CSP
> violation report. Any successful UA's in the normal GET logs that don't show
> up in the CSP violation report are the ones that don't support CSP (or have
> disabled CSP report back).
> On Thu, Nov 29, 2012 at 9:36 PM, <owasp-leaders-request at lists.owasp.org>
>> Also, for legacy browser clickjacking support, you NEED a method that
>> manual JS clickjacking defense) to prevent the page from being
>> Clickjacked while the JS is being loaded.
> -- coleslaw
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders