Thursday, February 23, 2012

Forbid site to load in frames (or iframes)

Imagine that you have developed a site that has a good attendance. Then the attacker will want to embed your web site or any of its page into his frame, to manipulate a data, that users enter thinking if they are on your site. This type of attack is known as Clickjacking.

There is a simplified example of malicious code that uses your site:

<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
  <title>Some stupid title here</title>  
</head>
<frameset cols="100%,*" frameborder="no" border="0" framespacing="0">
  <frame name="SiteShowFrame" src="http://www.your-site.com/">
</frameset>
<noframes>
  <body>
   Your browser doesn\'t support frames
  </body>
</noframes>
</html>

There are several ways of dealing with the embedding of your site into a foreign frame. The main ones are:

1) Javascript-based checking

You can insert the following code to the head of your document:

<script type="text/javascript">    
  if (window.parent.frames.length > 0) {
    window.stop();
  }
</script>

It will reveal whether your document is loaded in a frame, if yes - then loading stops by the appropriate command.

2) Sending a server header, which prohibits the browser to show content in a frame

For Apache you can include to .htaccess file the following code:

Header always append X-Frame-Options DENY

It tells the browser that your content is not available for displaying in a frame. However, only modern browsers understand this command, but it can not be considered as a fault.

DENY bans the displaying of your content in any frames. But if you use frames on your own site, then instead of DENY you may put SAMEORIGIN. Then the browser will allow the content from the same site, that page itself.

More information about this method - https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

0 comments:

Post a Comment