CUTCODEDOWN
Minimalist Semantic Markup

Welcome Guest
Please Login or Register

If you have registered but not recieved your activation e-mail in a reasonable amount of time, or have issues with using the registration form, please use our Contact Form for assistance. Include both your username and the e-mail you tried to register with.

Author Topic: antiClick Jacking  (Read 78 times)

AndrewTraub

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +0/-0
antiClick Jacking
« on: 18 Jan 2023, 09:41:13 am »
When getting a site audited a few years ago for security by my merchant processor, they required me to put this code at the top of the head section of each page:
Code: [Select]
<style id="antiClickjack">body{display:none !important;}</style>
            <script type="text/javascript">
            if (self === top) {
                let antiClickjack = document.getElementById("antiClickjack");
                antiClickjack.parentNode.removeChild(antiClickjack);
            } else {
                top.location = self.location;
            }
            </script>
When testing a new version of the site, and using a chrome extension to turn off javascript (called "Quick Javascript Switcher"), the page appears blank, so it seems this antiClick jack method makes the page not work if javascript is disabled. I'm not even sure how click jacking works, but am wondering if removing the display:none will allow users with javascript disabled to still use the site while also serving the antiClick jack purpose, or if there's a better way to prevent click jacking.

Dave

  • Junior Member
  • *
  • Posts: 27
  • Karma: +7/-0
Re: antiClick Jacking
« Reply #1 on: 18 Jan 2023, 01:27:53 pm »
Try it and see? Seems like the fastest way to answer your question.
Dave

mmerlinn

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +9/-0
  • Nutcake
Re: antiClick Jacking
« Reply #2 on: 18 Jan 2023, 02:08:30 pm »
Andrew, for an explanation of click jacking and options to foil, check out this link:

https://javascript.info/clickjacking
The soul purr pus of a spell cheque cur is two valley date hour ignore ants.

AndrewTraub

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +0/-0
Re: antiClick Jacking
« Reply #3 on: 19 Jan 2023, 08:57:29 am »
Thanks. My own research indicates that the prevention needs to come server side, using something like changing the X-Frame-Options or the content security policy. Now I just have to figure out how to do that in Apache.

Jason Knight

  • Administrator
  • Hero Member
  • *****
  • Posts: 871
  • Karma: +166/-1
    • CutCodeDown -- Minimalist Semantic Markup
Re: antiClick Jacking
« Reply #4 on: 20 Jan 2023, 05:56:01 pm »
Don't take this the wrong way, but you know me... that has to be one of the worst scripts I've ever seen. I'm not even sure WTF anyone would even think that would do to stop clickjacking. Not only does it tell non-scripted users to go plow themselves, not a single thing it does would prevent framing.

You have it correct that the proper answer is simply to deny the page being opened in a frame.

X-Frame-Options: DENY

Being the correct header. If you are backing the system with PHP you can just:

header('X-Frame-Options:DENY');

At the start of your code. If you're hosted on Apache you can do it in the .htaccess or conf.httpd

Header append X-Frame-Options: DENY

Though I prefer to wrap that rule in file matching alongside the cache-control and font hosting fixes.

Code: [Select]
<IfModule mod_headers.c>
<FilesMatch "\.(ico|jpg|jpeg|png|webp|gif|swf|avi|wmv|mp4|ogg|js|css|woff|woff2|ttf|eot|otf|svg)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
<FilesMatch "\.(woff|woff2?)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
<FilesMatch "\.(htm|html|php|pl)$">
Header set X-Frame-Options: DENY
</FilesMatch>
</IfModule>

Only sending that header for files that require it. The CSP thing is more hoodoo voodoo and opens a can of worms an older codebase might not be ready for, and X-Frame-Options has worked for 20+ years so... I don't see browsers dropping support for it any time soon.
« Last Edit: 20 Jan 2023, 07:22:20 pm by Jason Knight »
I'll fix every flaw, I'll break every law, I'll tear up the rulebook if that's what it takes. You will see, I will crush this cold machine.

GrumpyYoungMan

  • Hero Member
  • *****
  • Posts: 665
  • Karma: +8/-0
    • GrumpyYoungMan
Re: antiClick Jacking
« Reply #5 on: 21 Jan 2023, 02:20:28 am »
Jason, please don’t ever change!

I like your spade is a spade and I won’t dress it up approach!

When I get the time to sit in front of the computer as I work I think to myself “what would Jason say to this!”
Trying to learn a new trick to prove old dogs can learn new ones...

Total Novice have-a go Amateur Programmer - not sure that is the right thing to say... but trying to learn...

coothead

  • Sr. Member
  • ****
  • Posts: 329
  • Karma: +85/-0
  • I smile benignly
    • coothead's stuff ~ an eclectic collection
Re: antiClick Jacking
« Reply #6 on: 21 Jan 2023, 05:36:46 am »
Quote from: GrumpyYoungMan
...I think to myself “what would Jason say to this!”

You've been a very naughty boy. 

coothead
« Last Edit: 21 Jan 2023, 06:31:03 am by coothead »
~ the original bald headed old fart ~

 

SMF spam blocked by CleanTalk

Advertisement