Overview

By tricking the user into clicking on a concealed link, clickjacking can result in unintentional actions being executed on the user's behalf. This module tries to prevent against such an attack.

Dependencies

This module depends on the BaseModule.

Threat Model

The ClickjackingModule is concerned with defending against an attacker with the following abilities:

• The attacker owns and operates a malicious web site (e.g., attacker.com).
  
• The attacker can cause the user to visit the attacker's web page.
  

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

• The attacker must not be able to make the user unintentionally click on a link on the developer's website.

Syntax

The ClickjackingModule introduces the following directives:

directive               = "frame-ancestors"

Semantics

The UA MUST ensure that ALL ancestors of the document are in the origin list. An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are ancestors of C. If A embeds both B and C, B is not an ancestor of C, but A still is. [1]

Open Issues

• The threat and the solution seem to be disconnected. If the goal is to protect against unintentional clicks, then maybe a fine grained display separation requirement / click confirmation dialog requirement should be made. If the solution is this, then the goal should be rewritten as 'control resource embedding'.

[1] https://wiki.mozilla.org/Security/CSP/Spec#frame-ancestors