Talk:Clickjacking/Archives/2013

What is this all about?
The article does not tell how clickjacking differs from other malicious activities. I am just as ill-informed as I was before reading it. Solo Owl (talk) 11:38, 9 October 2008 (UTC) }}

I agree. Specifics of the attack would be very helpful in formulating effective defenses. 129.219.3.233 (talk) 20:50, 23 October 2008 (UTC)


 * I also agree, and have added an expand tag hoping that someone who knows can add more details. My html comment was "expand tagged because I request more detail for an intelligent layman: what it is or does, what it looks like and actual examples". I came here because my installed NoScript informed me of a potential clickjacking attempt from a Lifehacker.com page on "mouseless navigation". I was using my keyboard tab button to navigate to a digg.com link (I do *not* whitelist digg.com). This was new to me. -84user (talk) 15:56, 6 November 2008 (UTC) fixed sp and link 84user (talk) 15:58, 6 November 2008 (UTC)


 * I just added some more information on clickjacking, I am new to editing the Wiki so pardon me in case of any small issues related to editing formats. I did a study of clickjacking to give a presentation in class, so put a simple description and information i gathered from that study. Tarunbk (talk) 00:56, 14 December 2008 (UTC)

- In the article: "The hidden page may be an authentic page...." Comment about the quoted content: A hidden page ipso facto is INauthentic. Yuzragain (talk) 23:35, 26 January 2009 (UTC)

Other Browsers
Firefox and Internet explorer are mentioned, but no other bowser. What about Opera, Safari, and Chrome? —Preceding unsigned comment added by Rodolfo Hermans (talk • contribs) 15:22, 29 January 2009 (UTC)

New research paper by Stanford university
http://seclab.stanford.edu/websec/framebusting/

This is a new research paper by stanford university. Please consider adding it to the page. —Preceding unsigned comment added by Tvjoshi (talk • contribs) 17:06, 21 May 2010 (UTC)

X-FRAME-OPTIONS, X-Frame-Options or x-frame-options?
I know HTTP headers are defined as being case-insensitive, but the de facto standard (as in RFC 2616) is to used mixed case for header names with a capital letter at the start of each word, and lower-case tokens for the contents of these headers (e.g, "Cache-Control: private"). The same applies to non-standard headers such as X-Forwarded-For.

I should also point out that although Microsoft certainly qualifies as a reliable source of information about the X-Frame-Options header, it is not a reliable source of information on how this header should be capitalized.

For example, the MSDN blog post on ClickJacking defences defines the header as X-FRAME-OPTIONS, with possible values of DENY and SAMEORIGIN. At the end of this blog post, there is a link to a page by the same author, called Combating ClickJacking With X-Frame-Options. The author reverts to the all-capitals style in the remainder of this article, but links to another page (same author again) demonstrating some test cases. The embedded frames in this page emit x-frame-options headers (all lower case):

$ curl --head http://www.enhanceie.com/test/ClickJack/vicDeny.asp HTTP/1.1 200 OK

Date: Thu, 09 Sep 2010 20:00:00 GMT

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

x-frame-options: deny

Content-Length: 720

Content-Type: text/html

Set-Cookie: ASPSESSIONIDQQASTBAB=IKNPKCHNOHBCMMBHKOFCFFOJ; path=/

Cache-control: private

I'm going to change the capitalization in the article to "X-Frame-Options: deny" and "X-Frame-Options: sameorigin". -- 77.103.71.10 (talk) 20:49, 9 September 2010 (UTC)

Merge of Likejacking

 * Merge same phenomenon, just a specific site and element. Would be more useful to include in main page. Widefox (talk) 09:04, 30 January 2012 (UTC)
 * Agree And likejacking is a stub article and is better suited with the main topic. ChadH (talk) 17:17, 10 February 2012 (UTC)
 * Strongly Agree. It's a click. Just because Facebook calls a click a "like" and Reddit calls a click an "upvote" that does not change the basic fact that a click is being hijacked. --Guy Macon (talk) 18:55, 10 February 2012 (UTC)

Done ChadH (talk) 16:33, 16 February 2012 (UTC) References 11, 12, and 14 in the "likejacking" section are broken links. Is this the right place to mention it? I suspect it happened in the merge. --Chcurtis (talk) 14:11, 12 April 2013 (UTC)

Tapjacking
I just turned that page into a redirect to this one. The following references were removed in the process: If you think they may serve as appropriate references or external links, you may use them in this article. Keφr 10:43, 29 June 2013 (UTC)
 * TapJacking Proof of Concept
 * Tapjacking: A Recent Vulnerability for Smart Phones
 * Android Touch-Event Hijacking

How does CSP help?
The bottom of the article states that "Content Security Policy is proposed standard countermeasure against clickjacking and other similar attacks." However the linked article only talks about Javascript, and fails to mention frames. Therefore it is not clear if CSP can really prevent all forms of click-jacking. Also I guess CSP might not really belong in the X-Frame-Options section. 103.1.70.144 (talk) 03:39, 30 July 2013 (UTC)
 * Correct, will fix these now. Pawel Krawczyk (talk) 10:48, 31 July 2013 (UTC)