2

Let's assume we have a web page that can't use X-Frame-Options, and the Clickjacking protection has to be JavaScript based. On this page, all sensitive actions and the display of sensitive information are JS based, so for the sake of the question we can assume JS is enabled and running.

The current standard technique involves comparing self with top, and to display content depending on the outcome. Example from OWASP:

<style id="antiClickjack">body{display:none !important;}</style>

And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>

I would call this approach "fail closed" because content remains invisible until JS considers self equal to top.

There's also a commonly used "fail open" technique where, if self does not equal top, content is hidden via CSS or by setting document.body.innerHTML=''.

Question: can the latter protection be bypassed in ways other than using the sandbox attribute on the parent's iframe?

I didn't think so until I read this blog comment comparing the two techniques, and it made me wonder whether "fail open" is safe enough:

"You could use various JS payloads on the parent page to make the framebusting script in the iframe fail, preventing it from hiding the content of the page. [...] The ones that instead make the content of the page appear if it is not being framed were and are still perfectly fine."

Anders
  • 64,406
  • 24
  • 178
  • 215
kazhtaco
  • 23
  • 3
  • Why can't you use `X-Frame-Options`? How about using [CSP](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) instead? – Anders Jun 23 '16 at 15:20
  • 1
    No XFO because it's a legacy site that needs to be framed by "friendly" pages. No CSP because frame-ancestors did not exist at the time the site was built. Ultimately the answer to your question is that I'm not in a position to propose such changes unless the current implementation is deemed insecure. That's why my question is not how to best protect against CJ in general, but whether the quoted comment is correct and an outer frame can indeed bypass the "fail open" protection. – kazhtaco Jun 23 '16 at 15:51

1 Answers1

0

As per your cited OWASP article, there are some examples further down the page. eg. This one to prevent the framebuster code from loading at all:

<iframe src="http://www.victim.com/?v=<script>if">

This can be mitigated through the use of security headers:

X-XSS-Protection: 1; mode=block

This will prevent the entire page from being rendered should such a query string attack take place.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Thanks, but the onbeforeunload examples will not prevent the hiding of the content, which is what I'm asking about. However, the one abusing a browser's XSS filter may be what the author of the comment meant. I'll wait a few more days and will mark this as the accepted answer if nothing more specific to hiding/displaying content comes up. (I'm still actively researching.) – kazhtaco Jun 24 '16 at 17:35