Frame busting and clickjacking prevention
Clickjacking allows an attacker to trick your users into clicking parts of your interface without their consent. A simple way to describe describe this is, an attacker will embed your application in their site as an iframe. On top of the iframe they can show a completely different interface. You're thinking you're clicking buttons on your own interface, while in fact you are hitting the 'Delete my account' button in for example GMail.
Because this technique completely operates with frames, it can be circumvented by using a 'Frame busting' technique. As a bonus, this will also disallow for example Digg to steal and monetize your content.
Frame busting can be achieved with a simple javascript technique:
<script type="text/javascript">
if (top !== self) top.location.replace(self.location.href);
</script>
Security through javascript?
If you think this sounds like a bad idea, you are probably right. Users might simply have javascript disabled, and I also don't like relying on UI developers too much to implement preventive security measures (although I realize in most cases you do have to).
In Internet Explorer the situation is worse, IE allows you to specify the non-standard attribute security="restricted":
<iframe src="http://www.rooftopsolutions.nl/ security="restricted"></iframe>
This attribute tells IE to not allow executing of javascript in the iframe, which actually is not a bad security measure for other types of attacks. In this case however, it allows the attacker to disable the framebusting script.
X-Frame-Options
Thankfully, Internet Explorer 8 introduces a new feature that allows the site owner to disallow frames altogether, which is in my opinion an even better protection mechanism, because it doesn't rely on javascript to be executed.
The name of the http header is specified as such:
X-FRAME-OPTIONS: SAMEORIGIN
X-FRAME-OPTIONS: DENY
You only have to specify one of these two, 'sameorigin' means the page can only be framed from an html page hosted on the same domain, deny will kill framing altogether.
PHP example:
<?php
header('X-FRAME-OPTIONS: DENY');
?>
Firefox also appears to have started implementing this feature, and there's a feature request for webkit open as well.
Protecting yourself
Unfortunately you can safely assume most sites don't implement either of these security measures. For firefox users I would therefore strongly recommend using the NoScript plugin. Not only does it implement the X-FRAME-OPTIONS for firefox, it also actively detects clickjacking attempts.
Reference: hackademix.net
IE8 comprehensive protection
Today on the IE blog a big announcement was made regarding the upcoming security features in Internet Explorer 8.
Definitely check it out! Among things it includes an XSS protection filter, HTML sanitizing built straight into the scripting engine and a way to disable the infamous 'content sniffing'. I'd still hope to see the content-sniffing 'feature' to be opt-in, instead of the proposed opt-out solution.. but hey, at least it allows us to plug the hole.
To serve files as text/plain, serve the document with the Content-Type header as:
Content-Type: text/plain; authoritative=true;
I have to say, I'm quite impressed how IE is catching up with things like standards and security.
First glance on IE8
Random notes:
- For IE7 the focus was on security, IE8 = user experience.
- The IE guy is explaining about how interoperability hurts innovation, because too much time is lost in fixing thise (can't help but getting a big DUH! feeling).
- He explains how there's a lot of content on the web, that depends on the buggy behaviour of older IE versions.. so there's a challenge to solve. IE8 will introduce a compatibility mode, a lot of information with big opionion pieces from both people who like or hate this can be found on A List Apart. Look for version targetting.
- Looks like they created a Firebug-like tool for IE..
HTML 5
- Making the back button work, using HTML5 hash function? Can't actually find any info on this and I think this can be implemented today?
- HTML Connection events .. very cool, javascript can catch an event if the internet connection is gone!
OpenService
Seems to be about deep browser integration.. Subscribing to Webslices.. Seems to be a mini i-frame integrated into the toolbar.. Examples are shown of facebook status updates and Ebay auctions..
To integrate, add the 'hslice' css class to a div.. If you go to Your facebook homepage, and look at the source, you'll notice there's 'hslice' css classes.
