MozillaWiki

WebAppSec/Secure Coding Guidelines: Difference between revisions

Page Discussion

WebAppSec/Secure Coding Guidelines (view source)

Revision as of 17:52, 30 September 2010

83 bytes added ,  30 September 2010
→‎Preventing ClickJacking
Line 179: Line 179:
* The server rejects the requested action if the CSRF token fails validation
* The server rejects the requested action if the CSRF token fails validation


===Preventing ClickJacking===
===Preventing Malicious Site Framing (ClickJacking)===
A newer attack that uses page layering and framing to convince the user to click or enter data on particular parts of the screen. These actions are actually sent to the framed site to perform actions unbeknown to the victim user. Read more about this attack type [http://www.sectheory.com/clickjacking.htm here]
A newer attack that uses page layering and framing to convince the user to click or enter data on particular parts of the screen. These actions are actually sent to the framed site to perform actions unbeknown to the victim user. Read more about this attack type [http://www.sectheory.com/clickjacking.htm here]


* Two approaches to preventing ClickJacking
Set the x-frame-options header for all responses containing HTML content. The
# Set Header "X-Frame-Options: Deny" This works in most current versions of browsers (and soon FF too!)
possible values are "DENY" or "SAMEORIGIN".
# Add a "FrameBreaking" script that uses a mix of "hiding" page content until JavaScript is guaranteed to be available and the top-most window is guaranteed to be the current frame.
 
* DENY will block any site (regardless of domain) from framing the content.
* SAMEORIGIN will block all sites from framing the content, except sites within
the same domain.
 
The "DENY" setting is recommended unless a specific need has been identified
for framing.


===3rd Party Scripts===
===3rd Party Scripts===
Mcoates
Confirmed users
491

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/257224"