Security/CSP/ClickJackingModule

From MozillaWiki
< Security‎ | CSP
Jump to: navigation, search

Overview

By tricking the user into clicking on a concealed link, clickjacking can result in unintentional actions being executed on the user's behalf. This module tries to prevent against such an attack.

Dependencies

This module depends on the BaseModule.

Threat Model

The ClickjackingModule is concerned with defending against an attacker with the following abilities:

  • The attacker owns and operates a malicious web site (e.g., attacker.com).
  • The attacker can cause the user to visit the attacker's web page.

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

  • The attacker must not be able to make the user unintentionally click on a link on the developer's website.

Syntax

The ClickjackingModule introduces the following directives:

directive               = "frame-ancestors"


Semantics

The UA MUST ensure that ALL ancestors of the document are in the origin list. An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are ancestors of C. If A embeds both B and C, B is not an ancestor of C, but A still is. [1]

Open Issues

  • The threat and the solution seem to be disconnected. If the goal is to protect against unintentional clicks, then maybe a fine grained display separation requirement / click confirmation dialog requirement (like ClearClick) should be made. If the solution is this, then the goal should be rewritten as 'control resource embedding'.
  • Another possible ClickJacking scenario is if the website is embedding another iframe - the embedded frame could cover up some area of the site. (http://www.cs.berkeley.edu/~devdatta/1.html for a trivial e.g). Currently this is not in the threat model (nor is it explicitly outside the threat model). We should figure out what we want to do in this case.


[1] https://wiki.mozilla.org/Security/CSP/Spec#frame-ancestors