Frontend Scrapbook

Notes that make a difference


By admin

on Mon Aug 17 2020

It’s a UI redress attack. Can be used to capture keystrokes as well.

It makes use of iframes and position on top of UI and hide, thereby giving an illusion to user and tricking the user to perform an action like click.

Stopping ClickJacking :

X-Frame-Options HTTP response header

X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN


Chrome and Safari doesn’t respect allow-from. Use frame-ancestors CSP directive instead.

This applies to the TOP LEVEL frame only.

For legacy browsers,

if(self === top) {
var cj = document.getElementById(‘clickjack’);
} else {
top.location = self.location;