search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.69k stars 657 forks source link

V11.10 – Missing CSP approach to mitigate clickjacking attacks #63

Closed vizzdoom closed 9 years ago

vizzdoom commented 9 years ago

X-Frame-Options is very good protection against clickjacking attacks. The problem with XFO is that this is non-standard header which has problems with domain whitelisting (the widely supported values for XFO are only deny and sameorigin).

Nowadays XFO is a part o Content Security Policy (v2). We have possibility defining framing as blocking (none), same-origin (self) and ALSO domain whitelisting, eg: Content-Security-Policy: frame-ancestiors 'none'; Content-Security-Policy: frame-ancestiors 'self'; Content-Security-Policy: frame-ancestiors 'self' my.second.domain.com mythird.cdn.com;

I suggest to rewrite V11.10 to use CSP approach and also add information about adding X-Frame-Options header for old browsers compatibility (if accessible for the audited web application).

danielcuthbert commented 9 years ago

Amended to refer to CSP v2. Not sure about adding the X-Frame-Options header as this might clutter and confuse.