imported>Maxeto0910: period after sentence

2025-06-19T01:55:00Z

period after sentence

New page

{{Short description|Malicious technique of tricking a Web user}}
{{Use dmy dates|date=May 2023}}
[[File:Clickjacking.png|thumb|upright=1.35|In a clickjacking attack, the user is presented with a false interface, where their input is applied to something they cannot see.]]
'''Clickjacking''' (classified as a '''user interface redress attack''' or '''UI redressing''') is a [[Malware|malicious technique]] of tricking a [[User (computing)|user]] into clicking on something different from what the user perceives, thus potentially revealing [[Confidentiality|confidential]] information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including [[web page]]s.<ref>{{cite web|archive-url=https://web.archive.org/web/20150717230102/http://www.pcworld.idg.com.au/article/260609/adobe_request_hackers_nix_clickjacking_talk/|archive-date=2015-07-17|url=http://www.pcworld.idg.com.au/index.php/id;979405561|title=At Adobe's request, hackers nix 'clickjacking' talk|author=Robert McMillan|date=17 September 2008|publisher=PC World|access-date=2008-10-08}}</ref><ref>{{Cite news|url=http://infotech.indiatimes.com/quickiearticleshow/3543527.cms|title=Beware, clickjackers on the prowl|author=Megha Dhawan|date=29 September 2008|access-date=2008-10-08|work=The Times of India|archive-date=24 July 2009|archive-url=https://web.archive.org/web/20090724155021/http://infotech.indiatimes.com/quickiearticleshow/3543527.cms|url-status=dead}}</ref><ref>{{cite web|url=https://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/|title=Net game turns PC into undercover surveillance zombie|author=Dan Goodin|date=7 October 2008|work=The Register|access-date=2008-10-08}}</ref><ref>{{cite web|url=https://news.yahoo.com/s/nf/20081008/bs_nf/62355|title=Web Surfers Face Dangerous New Threat: 'Clickjacking'|author=Fredrick Lane|date=8 October 2008|publisher=newsfactor.com|archive-url=https://web.archive.org/web/20081013003436/http://news.yahoo.com/s/nf/20081008/bs_nf/62355|archive-date=13 October 2008|url-status=dead|access-date=2008-10-08}}</ref><ref>{{Cite journal|last1=Shahriar|first1=Hossain|last2=Devendran|first2=Vamshee Krishna|date=2014-07-04|title=Classification of Clickjacking Attacks and Detection Techniques|url=http://www.tandfonline.com/doi/abs/10.1080/19393555.2014.931489|journal=Information Security Journal: A Global Perspective|language=en|volume=23|issue=4–6|pages=137–147|doi=10.1080/19393555.2014.931489|s2cid=43912852|issn=1939-3555|url-access=subscription}}</ref>

Clickjacking is an instance of the [[confused deputy problem]], wherein a computer is tricked into misusing its authority.<ref>[http://waterken.sourceforge.net/clickjacking/ The Confused Deputy rides again!], Tyler Close, October 2008</ref>

== History ==
In 2002, it had been noted that it was possible to load a transparent layer over a [[web page]] and have the user's input affect the transparent layer without the user noticing.<ref name="OurEtg">{{Cite web|url=https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf|title=UI Redressing Attacks on Android Devices|last=Niemietz|first=Marcus|date=2012|website=Black Hat}}</ref> However, fixes only started to trickle in around 2004,<ref name="bug_162020">{{cite web |title=162020 - pop up XPInstall/security dialog when user is about to click (comment 44) |url=https://bugzilla.mozilla.org/show_bug.cgi?id=162020#c44 |website=Mozilla/Firefox bug tracker |language=en}}</ref> and the general problem was mostly ignored as a major issue until 2008.<ref name="OurEtg"></ref>

In 2008, Jeremiah Grossman and Robert Hansen (of SecTheory) had discovered that [[Adobe Flash Player]] was able to be clickjacked, allowing an [[Security hacker|attacker]] to gain access to a user's computer without the user's knowledge.<ref name="OurEtg" /> Grossman and Hansen coined the term "clickjacking",<ref>[http://www.securityfocus.com/news/11535/ You don't know (click)jack] Robert Lemos, October 2008</ref><ref>{{Cite web|url=http://www.sectheory.com/clickjacking.htm|title=Facebook Help Number 1-888-996-3777|last=JAstine|first=Berry|access-date=7 June 2016}}</ref> a [[portmanteau]] of the words "click" and "hijacking".<ref name="OurEtg" />

As more attacks of a similar nature were discovered, the focus of the term "UI redressing" was changed to describe the category of these attacks, rather than just clickjacking itself.<ref name="OurEtg" />

==Description==
One form of clickjacking takes advantage of vulnerabilities that are present in applications or web pages to allow the attacker to manipulate the user's computer for their own advantage.

For example, a clickjacked page tricks a user into performing undesired actions by clicking on concealed links. On a clickjacked page, the attackers load another page over the original page in a transparent layer to trick the user into taking actions, the outcomes of which will not be the same as the user expects. The unsuspecting users think that they are clicking visible buttons, while they are actually performing actions on the invisible page, clicking buttons of the page below the layer. The hidden page may be an authentication page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

== Clickjacking categories ==
* '''''Classic:''''' works mostly through a [[web browser]]<ref name="OurEtg" />
* '''''Likejacking:''''' utilizes [[Facebook|Facebook's]] social media capabilities<ref>{{Cite news|url=https://nakedsecurity.sophos.com/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/|title=Viral clickjacking 'Like' worm hits Facebook users|date=2010-05-31|work=Naked Security|access-date=2018-10-23|language=en-US}}</ref><ref>{{Cite news|url=https://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/|title=Facebook Worm – "Likejacking"|date=2010-05-31|work=Naked Security|access-date=2018-10-23|language=en-US}}</ref>
* '''''Nested:''''' clickjacking tailored to affect [[Google+]]<ref name="MrsdKur">{{Cite web|url=https://www.usenix.org/system/files/conference/woot12/woot12-final16.pdf|title=On the fragility and limitations of current Browser-provided Clickjacking protection schemes|last=Lekies|first=Sebastian|date=2012|website=USENIX}}</ref>
* '''''Cursorjacking:''''' manipulates the cursor's appearance and location<ref name="OurEtg" />
* '''''MouseJacking''''': inject keyboard or mouse input via remote RF link<ref>{{Cite web|url=http://www.mousejack.com/|title=Wireless Mouse Hacks & Network Security Protection|website=MOUSEJACK|language=en|access-date=2020-01-03}}</ref>
* '''''Browserless:''''' does not use a browser<ref name="OurEtg" />
* '''''[[Cookiejacking]]:''''' acquires cookies from browsers<ref name="OurEtg" /><ref name="Valotta-2011">{{Cite web|url=https://sites.google.com/site/tentacoloviola/cookiejacking|title=Cookiejacking|last=Valotta|first=Rosario|date=2011|website=tentacoloViola – sites.google.com|access-date=2018-10-23|archive-date=7 August 2019|archive-url=https://web.archive.org/web/20190807214255/https://sites.google.com/site/tentacoloviola/cookiejacking|url-status=dead}}</ref>
* '''''Filejacking:''''' capable of setting up the affected device as a file server<ref name="OurEtg" /><ref name="MtrDyr">{{Cite web|url=http://blog.kotowicz.net/2011/04/how-to-make-file-server-from-your.html|title=Filejacking: How to make a file server from your browser (with HTML5 of course)|website=blog.kotowicz.net|access-date=2018-10-23}}</ref><ref name="JueSm4">{{cite web|title=Password Managers: Attacks and Defenses|url=https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-silver.pdf|access-date=26 July 2015}}</ref>
* '''''Password manager attack:''''' clickjacking that utilizes a vulnerability in the autofill capability of browsers''<ref name="OurEtg" />''

=== Classic ===
Classic clickjacking refers to a situation when an [[Security hacker|attacker]] uses hidden layers on [[web page]]s to manipulate the actions a user's cursor does, resulting in misleading the user about what truly is being clicked on.<ref>{{Cite journal |last1=Sahani |first1=Rishabh |last2=Randhawa |first2=Sukhchandan |date=2021-12-01 |title=Clickjacking: Beware of Clicking |url=https://link.springer.com/10.1007/s11277-021-08852-y |journal=Wireless Personal Communications |language=en |volume=121 |issue=4 |pages=2845–2855 |doi=10.1007/s11277-021-08852-y |s2cid=239691334 |issn=0929-6212|url-access=subscription }}</ref>

A user might receive an email with a link to a video about a news item, but another webpage, say a product page on [[Amazon (company)|Amazon]], can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon. The hacker can only send a single click, so they rely on the fact that the visitor is both logged into [[Amazon (company)|Amazon]] and has 1-click ordering enabled.

While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF or [[Metasploit Project]] offer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by – or may facilitate – other web attacks, such as [[Cross-site scripting|XSS]].<ref>{{cite web|url=http://www.exploit-db.com/papers/12987/|title=The Clickjacking meets XSS: a state of art|date=2008-12-26|publisher=Exploit DB|access-date=2015-03-31}}</ref><ref>{{cite web|url=http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html|title=Exploiting the unexploitable XSS with clickjacking|author=Krzysztof Kotowicz|access-date=2015-03-31}}</ref>

===Likejacking===
Likejacking is a [[Security hacker|malicious technique]] of tricking users viewing a website into "[[Facebook like button|liking]]" a [[Facebook]] page or other [[social media]] posts/accounts that they did not intentionally mean to "like".<ref>{{cite web|url=http://www.sophos.com/blogs/sophoslabs/?p=9783|title=Facebook Work – "Likejacking"|last=Cohen|first=Richard|date=31 May 2010|publisher=[[Sophos]]|access-date=2010-06-05|archive-url=https://web.archive.org/web/20100604193905/http://www.sophos.com/blogs/sophoslabs/?p=9783|archive-date=4 June 2010|url-status=dead}}</ref> The term "likejacking" came from a comment posted by Corey Ballou in the article ''How to "Like" Anything on the Web (Safely)'',<ref name="corey ballou2">{{cite web|url=http://www.jqueryin.com/2010/06/02/likejacking-term-catches-on/|title="Likejacking" Term Catches On|last=Ballou|first=Corey|date=2 June 2010|publisher=jqueryin.com|archive-url=https://web.archive.org/web/20100605073625/http://www.jqueryin.com/2010/06/02/likejacking-term-catches-on/|archive-date=5 June 2010|url-status=dead|access-date=2010-06-08}}</ref> which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.<ref>{{cite web|url=http://www.readwriteweb.com/archives/likejacking_takes_off_on_facebook.php|title="Likejacking" Takes Off on Facebook|last=Perez|first=Sarah|date=2 June 2010|publisher=ReadWriteWeb|access-date=2010-06-05|archive-url=https://web.archive.org/web/20110816223746/http://www.readwriteweb.com/archives/likejacking_takes_off_on_facebook.php|archive-date=16 August 2011|url-status=dead}}</ref>

According to an article in ''[[IEEE Spectrum]]'', a solution to likejacking was developed at one of Facebook's [[hackathon]]s.<ref>{{cite web|url=https://spectrum.ieee.org/at-work/innovation/facebook-philosophy-move-fast-and-break-things/2|archive-url=https://web.archive.org/web/20110607033033/http://spectrum.ieee.org/at-work/innovation/facebook-philosophy-move-fast-and-break-things/2|url-status=dead|archive-date=7 June 2011|title=Facebook Philosophy: Move Fast and Break Things|last=Kushner|first=David|date=June 2011|publisher=[[IEEE]]|access-date=2011-07-15}}</ref> A "Like" [[bookmarklet]] is available that avoids the possibility of likejacking present in the [[Facebook like button]].<ref>{{cite news|url=https://readwrite.com/2010/04/22/how_to_like_anything_on_the_web_safely/|title=How to "Like" Anything on the Web (Safely)|last=Perez|first=Sarah|date=23 April 2010|work=ReadWriteWeb|access-date=24 August 2011}}</ref>

=== Nested ===
Nested clickjacking, compared to classic clickjacking, works by embedding a malicious web frame between two frames of the original, harmless [[web page]]: that from the framed page and that which is displayed on the top window. This works due to a vulnerability in the HTTP header <code>X-Frame-Options</code>, in which, when this element has the value <code>SAMEORIGIN</code>, the [[web browser]] only checks the two aforementioned layers. The fact that additional frames can be added in between these two while remaining undetected means that [[Security hacker|attackers]] can use this for their benefit.

In the past, with [[Google+]] and the faulty version of <code>X-Frame-Options</code>, [[Security hacker|attackers]] were able to insert frames of their choice by using the vulnerability present in [[Google Images|Google's Image Search engine]]. In between the image display frames, which were present in Google+ as well, these attacker-controlled frames were able to load and not be restricted, allowing for the [[Security hacker|attackers]] to mislead whomever came upon the image display page.<ref name="MrsdKur" />

===Cursorjacking===
CursorJacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at vulnerability.fr.<ref>{{cite web|url=http://podlipensky.com/2012/08/cursor-spoofing-cursorjacking/|title=Cursor Spoofing and Cursorjacking|last1=Podlipensky|first1=Paul|website=Podlipensky.com|publisher=Paul Podlipensky|access-date=22 November 2017|ref=podlipensky|archive-url=https://web.archive.org/web/20171122130512/http://podlipensky.com/2012/08/cursor-spoofing-cursorjacking/|archive-date=22 November 2017|url-status=dead}}</ref> Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich did so by hiding the cursor.<ref name="Kotowicz2">{{cite web|url=http://blog.kotowicz.net/2012/01/cursorjacking-again.html|title=Cursorjacking Again|author=Krzysztof Kotowicz|date=18 January 2012|access-date=2012-01-31}}</ref>

Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a CursorJacking vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox on Mac OS X systems (fixed in Firefox 30.0) which can lead to arbitrary code execution and webcam spying.<ref>{{cite web|url=https://www.mozilla.org/security/announce/2014/mfsa2014-50.html|title=Mozilla Foundation Security Advisory 2014-50|publisher=Mozilla|access-date=17 August 2014}}</ref>

A second CursorJacking vulnerability was again discovered by Jordi Chancel in [[Firefox|Mozilla Firefox]] on [[Mac OS X 10.0|Mac OS X]] systems (fixed in Firefox 37.0) using once again [[Adobe Flash|Flash]], [[HTML]] and [[JavaScript]] code which can also lead to spying via a webcam and the execution of a malicious addon, allowing the execution of malware on the affected user's computer.<ref>{{cite web|url=https://www.mozilla.org/en-US/security/advisories/mfsa2015-35/|title=Mozilla Foundation Security Advisory 2015-35|publisher=Mozilla|access-date=25 October 2015}}</ref>

===MouseJack===
Different from other clickjacking techniques that redress a UI, MouseJack is a wireless hardware-based UI vulnerability first reported by Marc Newlin of Bastille.net in 2016 which allows external keyboard input to be injected into vulnerable dongles.<ref>{{Cite web|url=https://www.bastille.net/research/vulnerabilities/mousejack|title=What is MouseJack!|website=Bastille|language=en-US|access-date=2020-01-03}}</ref> [[Logitech]] supplied firmware patches but other manufacturers failed to respond to this vulnerability.<ref>{{Cite web|url=https://www.kb.cert.org/vuls/id/981271/|title=CERT VU#981271 Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol|website=kb.cert.org|access-date=2020-01-03}}</ref>

=== Browserless ===
In Browserless clickjacking, [[Security hacker|attackers]] utilize vulnerabilities in programs to replicate classic clickjacking in them, without being required to use the presence of a web browser.

This method of clickjacking is mainly prevalent among mobile devices, usually on [[Android devices]], especially due to the way in which [[Pop-up notification|toast notifications]] work. Because [[Pop-up notification|toast notifications]] have a small delay in between the moment the notification is requested and the moment the notification actually displays on-screen, [[Security hacker|attackers]] are capable of using that gap to create a dummy button that lies hidden underneath the notification and can still be clicked on.<ref name="OurEtg" />

=== CookieJacking ===
CookieJacking is a form of clickjacking in which cookies are stolen from the victim's [[web browser]]s. This is done by tricking the user into dragging an object which seemingly appears harmless but is in fact making the user select the entire content of the cookie being targeted. From there, the attacker can acquire the cookie and all of the data that it possesses.<ref name="Valotta-2011" />{{Clarify|reason=|date=December 2020}}

=== FileJacking ===
In fileJacking, attackers use the web browser's capability to navigate through the computer and access computer files in order to acquire personal data. It does so by tricking the user into establishing an active file server (through the file and folder selection window that browsers use). With this, attackers can now access and take files from their victims' computers.<ref name="MtrDyr" />

===Password manager attack===
A 2014 paper from researcher at the [[Carnegie Mellon University]] found that while browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some [[password manager]]s would insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect against [[Framing (World Wide Web)|iFrame]]- and [[URL redirection|redirection]]-based [[Attack (computing)|attacks]] and exposed additional passwords where [[password synchronization]] had been used between multiple devices.<ref name="JueSm4" />

==Prevention==
===Client-side===
====NoScript====
Protection against clickjacking (including likejacking) can be added to [[Mozilla Firefox]] desktop and mobile<ref>{{cite web|url=http://noscript.net/nsa/|title=NoScript Anywhere|author=Giorgio Maone|date=24 June 2011|publisher=hackademix.net|access-date=2011-06-30}}</ref> versions by installing the [[NoScript]] add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets.<ref>{{cite web|url=http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/|title=Hello ClearClick, Goodbye Clickjacking|author=Giorgio Maone|date=8 October 2008|publisher=hackademix.net|access-date=2008-10-27}}</ref> According to Google's "Browser Security Handbook" from 2008, NoScript's ClearClick is a "freely available product that offers a reasonable degree of protection" against Clickjacking.<ref name="Zalevski2">{{cite web|url=http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)|title=Browser Security Handbook, Part 2, UI Redressing|author=Michal Zalevski|date=10 December 2008|publisher=Google Inc.|access-date=2008-10-27}}</ref> Protection from the newer cursorjacking attack was added to NoScript 2.2.8 RC1.<ref name="Kotowicz2" />

====NoClickjack====
The "NoClickjack" web browser add-on ([[browser extension]]) adds client-side clickjack protection for users of [[Google Chrome]], [[Mozilla Firefox]], [[Opera (web browser)|Opera]] and [[Microsoft Edge]] without interfering with the operation of legitimate iFrames. NoClickjack is based on technology developed for GuardedID. The NoClickjack add-on is free of charge.

====GuardedID====
GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer without interfering with the operation of legitimate iFrames.<ref>{{cite web|url=http://ha.ckers.org/blog/20090204/clickjacking-and-guardedid/|title=Clickjacking and GuardedID ha.ckers.org web application security lab|author=Robert Hansen|date=4 February 2009|access-date=2011-11-30|archive-url=https://archive.today/20120711093803/http://ha.ckers.org/blog/20090204/clickjacking-and-guardedid/|archive-date=11 July 2012|url-status=dead}}</ref> GuardedID clickjack protection forces all frames to become visible. GuardedID teams{{Clarify|reason=|date=December 2020}} with the add-on NoClickjack to add protection for [[Google Chrome]], [[Mozilla Firefox]], [[Opera (web browser)|Opera]] and [[Microsoft Edge]].

====Gazelle====
[[Gazelle (web browser)|Gazelle]] is a [[Microsoft Research]] project secure web browser based on IE, that uses an [[Operating System|OS]]-like security model and has its own limited defenses against clickjacking.<ref>{{cite web|url=http://research.microsoft.com/en-us/um/people/helenw/papers/gazelleSecurity09.pdf|title=The Multi-Principal OS Construction of the Gazelle Web Browser|last1=Wang|first1=Helen J.|author-link=Helen J. Wang|last2=Grier|first2=Chris|date=August 2009|publisher=18th Usenix Security Symposium, Montreal, Canada|access-date=2010-01-26|last3=Moschchuk|first3=Alexander|last4=King|first4=Samuel T.|last5=Choudhury|first5=Piali|last6=Venter|first6=Herman}}</ref> In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

====Intersection Observer v2====
The Intersection Observer v2 API<ref>{{cite web|url=https://w3c.github.io/IntersectionObserver/v2/|title=Intersection Observer – W3C Editor's Draft}}</ref> introduces the concept of tracking the actual "visibility" of a target element as a human being would define it.<ref>{{cite web|url=https://developers.google.com/web/updates/2019/02/intersectionobserver-v2|title=Trust is Good, Observation is Better}}</ref> This allows a framed widget to detect when it's being covered. The feature is enabled by default since [[Google Chrome]] 74, released in April 2019.<ref>{{cite web|url=https://m417z.com/De-anonymization-via-Clickjacking-in-2019/|title=De-anonymization via Clickjacking in 2019}}</ref> The API is also implemented by other [[Chromium (web browser)|Chromium-based]] browsers, such as Microsoft Edge and Opera.

===Server-side===
====[[Framekiller]]====
Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a [[framekiller]] JavaScript snippet in those pages they do not want to be included inside frames from different sources.<ref name="Zalevski2" />

Such JavaScript-based protection is not always reliable. This is especially true on Internet Explorer,<ref name="Zalevski2" /> where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <syntaxhighlight lang="HTML" inline><IFRAME SECURITY=restricted></syntaxhighlight> element.<ref name="hackademix22">{{cite web|url=http://hackademix.net/2009/01/27/ehy-ie8-i-can-has-some-clickjacking-protection/|title=Hey IE8, I Can Has Some Clickjacking Protection|author=Giorgio Maone|date=27 October 2008|publisher=hackademix.net|access-date=2008-10-27}}</ref>

====X-Frame-Options====
Introduced in 2009 in [[Internet Explorer]] 8 was a new HTTP header <code>X-Frame-Options</code> which offered a partial protection against clickjacking<ref>{{cite web|url=http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx|title=IE8 Security Part VII: ClickJacking Defenses|author=Eric Lawrence|date=27 January 2009|access-date=2010-12-30}}</ref><ref>{{cite web|url=http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx|title=Combating ClickJacking With X-Frame-Options|author=Eric Lawrence|date=30 March 2010|access-date=2010-12-30}}</ref> and was adopted by other browsers ([[Safari (web browser)|Safari]],<ref>{{cite web|url=http://blogs.zdnet.com/security/?p=3541|title=Apple Safari jumbo patch: 50+ vulnerabilities fixed|author=Ryan Naraine|date=8 June 2009|access-date=2009-06-10|archive-date=12 June 2009|archive-url=https://web.archive.org/web/20090612022948/http://blogs.zdnet.com/security/?p=3541|url-status=dead}}</ref> [[Firefox]],<ref>https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header {{Webarchive|url=https://web.archive.org/web/20101007022651/https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header |date=7 October 2010 }} The X-Frame-Options response header — MDC</ref> [[Google Chrome|Chrome]],<ref>{{cite web|url=https://blog.chromium.org/2010/01/security-in-depth-new-security-features.html|title=Security in Depth: New Security Features|author=Adam Barth|date=26 January 2010|access-date=2010-01-26}}</ref> and [[Opera (web browser)|Opera]]<ref>{{cite web|url=http://www.opera.com/docs/specs/presto26/#network|title=Web specifications support in Opera Presto 2.6|date=12 October 2010|access-date=2012-01-22|archive-url=https://web.archive.org/web/20120114183627/http://www.opera.com/docs/specs/presto26/#network|archive-date=14 January 2012|url-status=dead}}</ref>) shortly afterwards. The header, when set by website owner, declares its preferred framing policy: values of <code>DENY</code>, <code>ALLOW-FROM ''origin''</code>, or <code>SAMEORIGIN</code> will prevent any framing, framing by external sites, or allow framing only by the specified site, respectively. In addition to that, some advertising sites return a non-standard <code>ALLOWALL</code> value with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).

In 2013 the X-Frame-Options header has been officially published as RFC 7034,<ref>{{cite web|url=http://www.rfc-editor.org/rfc/rfc7034.txt|title=HTTP Header Field X-Frame-Options|year=2013|publisher=IETF}}</ref> but is not an Internet standard. The document is provided for informational purposes only. The W3C's Content Security Policy Level 2 Recommendation provides an alternative security directive, frame-ancestors, which is intended to obsolete the X-Frame-Options header.<ref>{{cite web|url=https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options|title=Content Security Policy Level 2|year=2016|publisher=W3C}}</ref>

A security header like X-Frame-Options will not protect users against clickjacking attacks that are not using a frame.<ref>{{cite web|url=https://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html|title=lcamtuf's blog: X-Frame-Options, or solving the wrong problem|date=10 December 2011 }}</ref>

====Content Security Policy====
The <code>frame-ancestors</code> directive of [[Content Security Policy]] (introduced in version 1.1) can [[Whitelist|allow]] or disallow embedding of content by potentially hostile pages using iframe, object, etc. This directive obsoletes the X-Frame-Options directive. If a page is served with both headers, the frame-ancestors policy should be preferred by the browser.<ref name="Content Security Policy Level 22">{{cite web|url=http://www.w3.org/TR/CSP11/#frame-ancestors-and-frame-options|title=Content Security Policy Level 2|date=2014-07-02|website=w3.org|access-date=2015-01-29}}</ref>—although some popular browsers disobey this requirement.<ref name="Clickjacking Defense Cheat Sheet2">{{cite web|url=https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet|title=Clickjacking Defense Cheat Sheet|access-date=2016-01-15}}</ref>

Example frame-ancestors policies:
# Disallow embedding. All iframes etc. will be blank, or contain a browser specific error page.
Content-Security-Policy: frame-ancestors 'none'

# Allow embedding of [[Same-origin policy|own content]] only.
Content-Security-Policy: frame-ancestors 'self'

# Allow specific origins to embed this content
Content-Security-Policy: frame-ancestors www.example.com www.wikipedia.org

==See also==
{{Div col}}
* [[Mousetrapping]]
* [[Browser security]]
* [[Click fraud]]
* [[Cross-site scripting]]
* [[Internet safety]]
* [[Internet security]]
* [[Malvertising]]
* [[Phishing]]
* [[Security hacker]]
* [[Social jacking]]
{{div col end}}

==References==
{{reflist}}
{{Prone to spam|date=November 2014}}{{Scams and confidence tricks}}{{Malware}}

[[Category:Hacking (computer security)]]
[[Category:Computing culture]]
[[Category:Web security exploits]]
[[Category:Social engineering (security)]]
[[Category:Client-side web security exploits]]

Clickjacking - Revision history

imported>Maxeto0910: period after sentence