javascript - To stop ClickJacking, which one is more secure? breaking out of iframe vs X-Frame-Options to Deny or Same Origin -

-

to prevent clickjacking happenning website, have noticed several different methods. use javascript have website break out of iframe, other soltution set x-frame-options header deny or sameorigin. 1 of 2 method mentioned think more secure? here sample page using test clickjacking.

<html> <body> <h1>clickjacking test</h1> <iframe src="http://www.google.com/" height="500" width="500"></iframe> </body> </html>

with iframe break code see firefox , safari slow out of iframe, meaning see clickjacking test , break out of iframe , show original website. ie , chrome fast not noticeable. x-frame-optiions solution not see website @ all. blocked. google in above example. questions 1 of solution better? blocking or breaking out of iframe(slow in 2 browsers)

in experience, setting x-frame-options (xfo) rules works better breaking out of iframes. when comes rules, depends on if absolutely have use iframes. if can remove iframes website completely, using deny rule best; however, if still have iframes in site, use sameorigin rules.

the differences between available rules outlined below (quoted ietf):

  1. deny browser receiving content header must not display content in frame.

  2. sameorigin browser receiving content header must not display content in frame page of different origin content itself. if browser or plugin can not reliably determine whether origin of content , frame have same origin, must treated "deny". [tbd]current implementations not display if origin of top-level-browsing-context different origin of page containing x-frame-options header.

  3. allow-from (followed uri of trusted origins) browser receiving content header must not display content in frame page of different origin listed origin. while can expose page risks trusted origin, in cases may necessary use content other domains. example: x-frame-options: allow-from https://www.domain.com/

i suggest reading, clickjack attack – hidden threat right in front of you troy hunt.

hope helps.


Comments

Post a Comment

Popular posts from this blog

ios - UICollectionView Self Sizing Cells with Auto Layout -

-
Image
i'm trying self sizing uicollectionviewcells working auto layout, can't seem cells size content. i'm having trouble understanding how cell's size updated contents of what's inside cell's contentview. here's setup i've tried: custom uicollectionviewcell uitextview in contentview. scrolling uitextview disabled. the contentview's horizontal constraint is: "h:|[_textview(320)]", i.e. uitextview pinned left of cell explicit width of 320. the contentview's vertical constraint is: "v:|-0-[_textview]", i.e. uitextview pinned top of cell. the uitextview has height constraint set constant uitextview reports fit text. here's looks cell background set red, , uitextview background set blue: i put project i've been playing on github here . updated ios 9 after seeing github solution break under ios 9 got time investigate issue fully. have updated repo include several examples of different configurations s
Read more

node.js - ldapjs - write after end error -

-
i have created authentication service using following code in node.js , ldapjs. var when = require ('when'); var authenticationerror = require('../errors/authenticationerror'); var sessionmanagerservice = require('./sessionmanagerservice'); var ldap = require('ldapjs'); var client = ldap.createclient({ url: 'ldaps://ad.mycompany.com:636', tlsoptions: {'rejectunauthorized': false} }); module.exports = { signin: function (email, password) { return this.ldapbind(email, password).then( function () { return sessionmanagerservice.createsessionhash({email: email}); } ); }, ldapbind: function (email, password) { var deferred = when.defer(); client.bind(email, password, function(err) { if (err) { deferred.reject (new authenticationerror('invalid username and/or password!', 'authentication.signin.error')
Read more

DOM Manipulation in Wordpress (and elsewhere) using php -

-
DOM Manipulation in Wordpress (and elsewhere) using php - i'm quite new dom manipulation world , head start in order avoid mutual errors. i looking efficient way manipulate content generated wordpress using php. @ moment using simple html dom seems work fine. found domdocument , few others , helpfull if cleared out 1 faster, improve or @ to the lowest degree generate less errors in case of bad markup. also on side can explain syntax (instead of $html @$html) thank much php wordpress domdocument simple-html-dom
Read more