056151cc70
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Although many pages within Horizon leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Reference: http://tinyurl.com/anticlickjack Change-Id: Ibd7acd0d7b4c4d58afcd59f025735bfc9e4c2957 Closes-Bug: 1461154
13 lines
381 B
HTML
13 lines
381 B
HTML
{% if disallow_iframe_embed %}
|
|
<style id="anti-clickjack">body{display:none !important;}</style>
|
|
|
|
<script type='text/javascript' charset="utf-8">
|
|
if (self === top) {
|
|
var antiClickjack = document.getElementById("anti-clickjack");
|
|
antiClickjack.parentNode.removeChild(antiClickjack);
|
|
} else {
|
|
top.location = self.location;
|
|
}
|
|
</script>
|
|
{% endif %}
|