clickjacking

X-Frame-Options: ALLOW-FROM in firefox and chrome

*爱你&永不变心* 提交于 2019-11-27 18:16:00
I'm implementing a "pass-through" for X-Frame-Options to let a partner site wrap my employer's site in an iframe, as per this article: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx (splitting up URLS to post) In a nutshell, our partner's page has an iframe with an URL against our domain. For any page in our domain, they'll add a special url argument like &@mykey=topleveldomain.com , telling us what the page's top level domain is. Our filters pick up the partner TLD, if provided, from the URL, and validate it against a whitelist. If it's

X-Frame-Options on apache

落花浮王杯 提交于 2019-11-27 11:45:00
问题 I am trying to allow some particular domain to access my site via iframe Header set X-Frame-Options ALLOW-FROM https://www.that-site.com I know this could be done by add the line above to the config of Apache server. Two questions here. 1) which config file should be added to? The apache running on both Unix and windows, if not the same file 2) while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from?

X-Frame-Options: ALLOW-FROM in firefox and chrome

偶尔善良 提交于 2019-11-27 04:03:55
问题 I'm implementing a "pass-through" for X-Frame-Options to let a partner site wrap my employer's site in an iframe, as per this article: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx (splitting up URLS to post) In a nutshell, our partner's page has an iframe with an URL against our domain. For any page in our domain, they'll add a special url argument like &@mykey=topleveldomain.com , telling us what the page's top level domain is. Our

How to protect widgets from forged requests

折月煮酒 提交于 2019-11-27 03:51:01
问题 Lets say you have a JavaScript widget which needs to fire off a request to your web application if and only if the user wants to click on it. You don't want this request to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for