phihag
commented
11 years ago Why do we need advanced technics? Doesn't every valid defense test something like top === self?
Closed rliebig closed 11 years ago
phihag
commented
11 years ago Why do we need advanced technics? Doesn't every valid defense test something like top === self?
rliebig
commented
11 years ago I would recommened it, because this is a assumption. The context has to be checked, what if the application users this value for something other? Simply scanning the javascript could lead to uncalled positives. Also, I don't like this approach, users without javascript/apis aren't protected by it efficiently...
phihag
commented
11 years ago Users without JavaScript aren't as easily affected by clickjacking (because the attacker has to either get the user to click a certain point or open up a lot of frames). There is also little reason for the application to check top === self if not to defend against clickjacking. I agree that a non-heuristical test would be better.
However, looking at the majority of sites there, it seems like one could indeed just forgo the JavaScript-based testing; popular sites either seem to be protected properly or not at all. Therefore, I think we can safely close this issue.
This has to be done with more advanced technics, javascript interpretation is necessary. As it is currently impossible to do this, this is considered Long-Term