The 14(c) system will become a modern, digital-first service. Applicants will be provided an intuitive online experience, guiding them through the information needed to complete their application correctly.
Notes: Add a story to ZenHub for this possibility. Info below and Link suffice for implementation. Discuss with Prabhakar.
Fix: Browser vendors have introduced and adopted a policy-based mitigation technique using the X-Frame-Options header.
Developers can use this header to instruct the browser about appropriate actions to perform if their site is included inside an
iframe. Developers must set the X-Frame-Options header to one of the following permitted values:
•DENY
Deny all attempts to frame the page
•SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
•ALLOW-FROM origin
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted to load this page
inside an iframe
Developers must also use client-side frame busting JavaScript as a protection against XFS. This will enable users of older
browsers that do not support the X-Frame-Options header to also be protected from clickjacking attacks.
Notes: Add a story to ZenHub for this possibility. Info below and Link suffice for implementation. Discuss with Prabhakar. Fix: Browser vendors have introduced and adopted a policy-based mitigation technique using the X-Frame-Options header. Developers can use this header to instruct the browser about appropriate actions to perform if their site is included inside an iframe. Developers must set the X-Frame-Options header to one of the following permitted values: •DENY Deny all attempts to frame the page •SAMEORIGIN The page can be framed by another page only if it belongs to the same origin as the page being framed •ALLOW-FROM origin Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted to load this page inside an iframe Developers must also use client-side frame busting JavaScript as a protection against XFS. This will enable users of older browsers that do not support the X-Frame-Options header to also be protected from clickjacking attacks.
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet