[Owasp-leaders] Clickjacking Defense

Tobias tobias.gondrom at owasp.org
Tue Sep 4 17:00:35 UTC 2012


Hi Erlend,
FYI: actually we are currently working on rolling the "Allow-From" into 
the next version of XFO for all browsers, which in this case then will 
be Frame-Options (without the "X-").
An alternative route we currently analyse is to wrap FO into CSP, but 
there are some technical problems with that. Would expect all to be 
sorted and done by Q1 2013.
Best regards, Tobias

Ps.: the current XFO: 
http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00
and the new FO http://tools.ietf.org/html/draft-ietf-websec-frame-options-00



On 04/09/12 21:06, Erlend Oftedal wrote:
> I did a bit of research on X-frame-options a while back. At the time 
> only IE supported Allow-from.
> That may still hold.
> http://erlend.oftedal.no/blog/tools/xframeoptions/
>
> Erlend
>
> ------------------------------------------------------------------------
> *Fra:* owasp-leaders-bounces at lists.owasp.org 
> [owasp-leaders-bounces at lists.owasp.org] på vegne av Eoin 
> [eoin.keary at owasp.org]
> *Sendt:* 4. september 2012 13:35
> *To:* Jim Manico
> *Cc:* Eoin Keary; owasp-leaders at lists.owasp.org
> *Emne:* Re: [Owasp-leaders] Clickjacking Defense
>
> Sure not everyone is security savvy. They'll use older browsers!!
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 4 Sep 2012, at 08:59, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> It's an ineffective approach.  I'd prefer to add a section saying NOT 
>> to do it and will provide the Stanford article link as backup. Fair?
>>
>> PS: If you use an older browser you have much much bigger problems....
>>
>> --
>> Jim Manico
>> (808) 652-3805
>>
>> On Sep 4, 2012, at 8:44 AM, Eoin Keary <eoinkeary at gmail.com 
>> <mailto:eoinkeary at gmail.com>> wrote:
>>
>>> So we should mention that?? It is still a common approach to cover 
>>> older browsers.
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 3 Sep 2012, at 21:35, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>> It's so easily evadable ...
>>>>
>>>> http://seclab.stanford.edu/websec/framebusting/framebust.pdf
>>>>
>>>> ... I no longer recommend the technique. If there IS a good 
>>>> JavaScript framebusting technique I'm all ears...
>>>>
>>>> Jim Manico
>>>> OWASP Volunteer
>>>> (808) 652-3805
>>>>
>>>>
>>>>
>>>>> The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>>
>>>>>
>>>>> On 3 Sep 2012, at 17:58, Jim Manico<jim.manico at owasp.org>  wrote:
>>>>>
>>>>>> I want to write a Cheat-sheet on Clickjacking defense.
>>>>>>
>>>>>> I was thinking of just discussing the different framing blocking headers....
>>>>>>
>>>>>> // to prevent all framing of this content ?>
>>>>>> response.addHeader( "X-FRAME-OPTIONS", "DENY" );
>>>>>>
>>>>>> // to allow framing of this content only by this site
>>>>>> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>>>>>>
>>>>>> // to allow framing from a specific domain
>>>>>> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
>>>>>>
>>>>>> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
>>>>>>
>>>>>> What do you think, any thoughts on this topic?
>>>>>>
>>>>>> Cheers folks,
>>>>>>
>>>>>> Jim Manico
>>>>>> OWASP Volunteer
>>>>>> (808) 652-3805
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120905/ba361ec4/attachment.html>


More information about the OWASP-Leaders mailing list