[Owasp-leaders] Clickjacking Defense

Eoin eoin.keary at owasp.org
Mon Sep 3 19:20:45 UTC 2012


What the metrics on usage of older browsers which don't support such headers? If its over 10%....

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 3 Sep 2012, at 18:23, Tobias <tobias.gondrom at owasp.org> wrote:

> Hi Jim, 
> fully agree. Sounds like the right approach. 
> Cheers, Tobias
> 
> 
> On 04/09/12 00:58, Jim Manico wrote:
>> I want to write a Cheat-sheet on Clickjacking defense.
>> 
>> I was thinking of just discussing the different framing blocking headers....
>> 
>> // to prevent all framing of this content 
>> 
>> response.addHeader( "X-FRAME-OPTIONS", "DENY" ); 
>> 
>> // to allow framing of this content only by this site 
>> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>> 
>> // to allow framing from a specific domain
>> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" ); 
>> 
>> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>> 
>> What do you think, any thoughts on this topic?
>> 
>> Cheers folks,
>> 
>> Jim Manico
>> OWASP Volunteer
>> (808) 652-3805
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120903/6b1e9748/attachment.html>


More information about the OWASP-Leaders mailing list