To stop ClickJacking, which one is more secure? breaking out of iframe vs X-Frame-Options to Deny or Same Origin

javascript security iframe clickjacking
DoodleKana picture DoodleKana · Aug 12, 2013 · Viewed 7.4k times · Source

To prevent clickjacking from happenning for your website, I have noticed several different methods. Some use javascript to have your website break out of iframe, the other soltution is to set the X-FRAME-OPTIONS header to DENY or SAMEORIGIN. Which one of the 2 method I mentioned do you think is more secure? Here is a sample page I am using to test clickjacking.

<HTML>
<BODY>
<H1>Clickjacking Test</H1>
<IFRAME SRC="http://www.google.com/" HEIGHT="500" WIDTH="500"></IFRAME>
</BODY>
</HTML>

With iframe break code you will see Firefox and Safari will be slow to get out of Iframe, meaning you will see Clickjacking test and then it will break out of that iframe and show the original website. With IE and Chrome it is fast that not noticeable. But with X-Frame-Optiions solution you simply do not see your website at all. It will be blocked. Like with google in the above example. So my questions is which one of the solution better? Blocking it completely or breaking out of iframe(slow in 2 browsers)

Answer

Zorayr picture Zorayr · Aug 12, 2013

In my experience, setting X-Frame-Options (XFO) rules works much better than breaking out of iframes. When it comes to rules, it really depends on if you absolutely have to use iframes. If you can remove iframes from your website completely, using the DENY rule would be best; however, if you still have iframes in your site, use the SAMEORIGIN rules.

The differences between the available rules are outlined below (quoted from IETF):

  1. DENY A browser receiving content with this header MUST NOT display this content in any frame.

  2. SAMEORIGIN A browser receiving content with this header MUST NOT display this content in any frame from a page of different origin than the content itself. If a browser or plugin can not reliably determine whether the origin of the content and the frame have the same origin, this MUST be treated as "DENY". [TBD]current implementations do not display if the origin of the top-level-browsing-context is different than the origin of the page containing the X-FRAME-OPTIONS header.

  3. ALLOW-FROM (followed by a URI of trusted origins) A browser receiving content with this header MUST NOT display this content in any frame from a page of different origin than the listed origin. While this can expose the page to risks by the trusted origin, in some cases it may be necessary to use content from other domains. For example: X-FRAME-OPTIONS: ALLOW-FROM https://www.domain.com/

I would also suggest reading, Clickjack attack – the hidden threat right in front of you by Troy Hunt.

Hope this helps.

Related questions

SecurityError: Blocked a frame with origin from accessing a cross-origin frame

I am loading an <iframe> in my HTML page and trying to access the elements within it using Javascript, but when I try to execute my code, I get the following error: SecurityError: Blocked a frame with origin "…

Read More
What exactly can an IFrame do with the top.Location object (cross-domain)?

There is a very particular edge case in cross-domain policies regarding the window.top.Location object... Let's say I have IFrame A , in domain www.bbb.com, living inside a page in domain www.aaa.com. The page inside the …

Read More
Why does Google prepend while(1); to their JSON responses?

Why does Google prepend while(1); to their (private) JSON responses? For example, here's a response while turning a calendar on and off in Google Calendar: while (1); [ ['u', [ ['smsSentFlag', 'false'], ['hideInvitations', 'false'], ['remindOnRespondedEventsOnly', 'true'], ['hideInvitations_remindOnRespondedEventsOnly', 'false_true'], ['Calendar ID stripped …

Read More