4

I am using this code. In the header section of the page, this CSS rule:

html{display:none;}

And then this javascript:

if (self == top)
  document.documentElement.style.display = 'block';
else
  top.location = self.location;

Can I consider it safe against clickjacking from mobile devices?
If not, do I have to add other protections like the X-Frame-Options header, or others?

user1014351
  • 141
  • 3
  • Note: this question is different from: http://security.stackexchange.com/questions/103207/should-one-use-framekiller-code-avoid-others-embedding-https-pages-in-iframes since i'm asking for a specific implementation of it – user1014351 Dec 31 '15 at 12:56
  • 1
    Note: Most importantly it will render the whole site useless for anyone having javascript disabled and will reduce the overall performance of the website especially on mobile devices. You are better off using the X-Frame-Options Header from performance and usability reasons. – James Cameron Dec 31 '15 at 16:35
  • No, it will render the page useless, that is exactly what i want. Also in 2016 i think nobody has phones with browsers without javascript. – user1014351 Jan 14 '16 at 11:35

1 Answers1

8

In my opinion there's no such thing as a frame killer/buster script as JavaScript can be disabled in the <iframe tag, rendering your code useless.

The best way to protect your application from clickjacking attacks, for modern browsers, is configuring your web server to send the X-Frame-Options in the response header.

Configuring this is quite easy:

Apache In httpd.conf add: Header always append X-Frame-Options SAMEORIGIN

Nginx In nginx.conf add: add_header X-Frame-Options "SAMEORIGIN";

Vilican
  • 2,703
  • 8
  • 21
  • 35
Jeroen
  • 5,783
  • 2
  • 18
  • 26
  • In the Apache header, `set` instead of `append` would be probably better. The point is that `set` will override this header if is already set. – Vilican Dec 31 '15 at 17:19
  • Ah you mean from an application perspective to override it server side. Yeah, I guess that's an idea depending on the requirements. – Jeroen Dec 31 '15 at 18:05
  • If Javascript is disabled, you don't see the anything... There is the css rule :html{display:none;} – user1014351 Jan 14 '16 at 11:32