Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
PS: I searched for "clickjacking" in this forum, but I couldn't find any posts regarding this problem. That's why I've decided to post it here and make some noise about it
There are 10 types of people in this world, those who understand binary and those who don't
I'm not sure this is something a web developer can realistically combat.
If I understand correctly, an example of this attack is your website loads my website in an iframe. Your website then places a transparent css layer over the iframe containing my website, which is used to jack the users clicks.
The problem is that my website has no way to detect or prevent it from being loaded in your iframe.
In my opinion, the onus is "on the user" if they try to access my website through a "proxy website" of sorts.
VladSun wrote:You got it wrong - your web site is made transparent and put in an iframe over the attacker site (so it process user's clicks).
Aha. I see where this is going.
The possible solution that I read about used a combination of javascript and css, coupled with a noscript element. Briefly skimming over the comments on the page you linked too, as well as in the wiki article, contained workarounds for busting frame busters/killers.
Yes, I found the link through your article. I still need to add the frame busting part to my code, but it should be an easy fix, since I already the javascript detection implemented that way.
After I posted last, I headed to "the office". ( ) It took me a bit to grasp the concept, but the light eventually came on. I just needed to really think about it a bit longer. Thanks for bringing up the topic!
Those frame busters can be bypassed. The best solution currently is to send X-Frame-Options header which is supported by IE 8, Chrome, Safari 4 and Firefox (when NoScript is used).