2

I have read and seen that javascript framekiller code doesn't seem to be widely espoused as a panacea solution. It's target use case seems to primarily be for legacy browsers or old browser versions that don't support X-Frame-Options.

I am not sure if I am reading this page correctly: https://caniuse.com/?search=X-FRAME-OPTIONS but at the bottom only 49.46% of users support the SAME-ORIGIN option?

https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html#best-for-now-legacy-browser-frame-breaking-script

Instructions on OWASP site Dec 2020:

First apply an ID to the style element itself:

<style id="antiClickjack">
    body{display:none !important;}
</style>

Then, delete that style by its ID immediately after in the script:

<script type="text/javascript">
    if (self === top) {
        var antiClickjack = document.getElementById("antiClickjack");
        antiClickjack.parentNode.removeChild(antiClickjack);
    } else {
        top.location = self.location;
    }
</script>

I note that this looks similar to the recommended code in the 2010 Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites by Gustav Rydstedt, Elie Bursztein, Dan Boneh and Collin Jackson. https://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf

Can this javascript framekiller code be (easily) circumvented like some of the examples in this paper?

user1821961
  • 121
  • 4
  • When you say "legacy", how "legacy" are we talking? IE 11? Netscape Navigator? –  Dec 16 '20 at 15:43
  • @MechMK1 I have updated and clarified question, I mean any browser (version) that doesn't support X-Frame-Options which appears to be the recommended protection. – user1821961 Dec 16 '20 at 15:51
  • @user1821961: So this is about browsers which are older than 10 years? With such old browsers frame busting is likely the least thing to worry about. – Steffen Ullrich Dec 16 '20 at 15:56
  • According to [MDN](https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options), all commonly used browsers do support X-Frame-Options. This does include extremely old versions of these browsers. – Hendrik Brummermann Dec 16 '20 at 15:58
  • Added this to the question: I am not sure if I am reading this page correctly: https://caniuse.com/?search=X-FRAME-OPTIONS but at the bottom only 49.46% of users support the SAME-ORIGIN option? – user1821961 Dec 16 '20 at 16:18

0 Answers0