Talk:Clickjacking

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Start-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 
WikiProject Computing (Rated Start-class)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
 
Note icon
This article has been marked as needing an infobox.
High traffic

On 25 May 2010, Clickjacking was linked from Slashdot, a high-traffic website. (See visitor traffic)

What is this all about?[edit]

The article does not tell how clickjacking differs from other malicious activities. I am just as ill-informed as I was before reading it. Solo Owl (talk) 11:38, 9 October 2008 (UTC) }}

I agree. Specifics of the attack would be very helpful in formulating effective defenses. 129.219.3.233 (talk) 20:50, 23 October 2008 (UTC)

I also agree, and have added an expand tag hoping that someone who knows can add more details. My html comment was "expand tagged because I request more detail for an intelligent layman: what it is or does, what it looks like and actual examples". I came here because my installed NoScript informed me of a potential clickjacking attempt from a Lifehacker.com page on "mouseless navigation". I was using my keyboard tab button to navigate to a digg.com link (I do *not* whitelist digg.com). This was new to me. -84user (talk) 15:56, 6 November 2008 (UTC) fixed sp and link 84user (talk) 15:58, 6 November 2008 (UTC)
I just added some more information on clickjacking, I am new to editing the Wiki so pardon me in case of any small issues related to editing formats. I did a study of clickjacking to give a presentation in class, so put a simple description and information i gathered from that study. Tarunbk (talk) 00:56, 14 December 2008 (UTC)

In the article: "The hidden page may be an authentic page...." Comment about the quoted content: A hidden page ipso facto is INauthentic. Yuzragain (talk) 23:35, 26 January 2009 (UTC)

Other Browsers[edit]

Firefox and Internet explorer are mentioned, but no other bowser. What about Opera, Safari, and Chrome? —Preceding unsigned comment added by Rodolfo Hermans (talkcontribs) 15:22, 29 January 2009 (UTC)

New research paper by Stanford university[edit]

http://seclab.stanford.edu/websec/framebusting/

This is a new research paper by stanford university. Please consider adding it to the page. —Preceding unsigned comment added by Tvjoshi (talkcontribs) 17:06, 21 May 2010 (UTC)

X-FRAME-OPTIONS, X-Frame-Options or x-frame-options?[edit]

I know HTTP headers are defined as being case-insensitive, but the de facto standard (as in RFC 2616) is to used mixed case for header names with a capital letter at the start of each word, and lower-case tokens for the contents of these headers (e.g, "Cache-Control: private"). The same applies to non-standard headers such as X-Forwarded-For.

I should also point out that although Microsoft certainly qualifies as a reliable source of information about the X-Frame-Options header, it is not a reliable source of information on how this header should be capitalized.

For example, the MSDN blog post on ClickJacking defences defines the header as X-FRAME-OPTIONS, with possible values of DENY and SAMEORIGIN. At the end of this blog post, there is a link to a page by the same author, called Combating ClickJacking With X-Frame-Options. The author reverts to the all-capitals style in the remainder of this article, but links to another page (same author again) demonstrating some test cases. The embedded frames in this page emit x-frame-options headers (all lower case):

$ curl --head http://www.enhanceie.com/test/ClickJack/vicDeny.asp

HTTP/1.1 200 OK
Date: Thu, 09 Sep 2010 20:00:00 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
x-frame-options: deny
Content-Length: 720
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQASTBAB=IKNPKCHNOHBCMMBHKOFCFFOJ; path=/

Cache-control: private

I'm going to change the capitalization in the article to "X-Frame-Options: deny" and "X-Frame-Options: sameorigin". -- 77.103.71.10 (talk) 20:49, 9 September 2010 (UTC)

On X-Frame-Options being "standardized"[edit]

The section on X-Frame-Options mentions that it has been "officially standardized" by the IETF. However, RFC 7034 explicitly states:

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

Calling X-Frame-Options a "standard" thus seems misleading. It might be better to say that the header has been documented in the RFC. — Preceding unsigned comment added by Denis Washington (talkcontribs) 09:37, 3 July 2014 (UTC)

Merge of Likejacking[edit]

  • Merge same phenomenon, just a specific site and element. Would be more useful to include in main page. Widefox (talk) 09:04, 30 January 2012 (UTC)
Agree And likejacking is a stub article and is better suited with the main topic. ChadH (talk) 17:17, 10 February 2012 (UTC)
Strongly Agree. It's a click. Just because Facebook calls a click a "like" and Reddit calls a click an "upvote" that does not change the basic fact that a click is being hijacked. --Guy Macon (talk) 18:55, 10 February 2012 (UTC)

Done ChadH (talk) 16:33, 16 February 2012 (UTC) References 11, 12, and 14 in the "likejacking" section are broken links. Is this the right place to mention it? I suspect it happened in the merge. --Chcurtis (talk) 14:11, 12 April 2013 (UTC)

Tapjacking[edit]

I just turned that page into a redirect to this one. The following references were removed in the process:

If you think they may serve as appropriate references or external links, you may use them in this article. Keφr 10:43, 29 June 2013 (UTC)

How does CSP help?[edit]

The bottom of the article states that "Content Security Policy is proposed standard countermeasure against clickjacking and other similar attacks." However the linked article only talks about Javascript, and fails to mention frames. Therefore it is not clear if CSP can really prevent all forms of click-jacking. Also I guess CSP might not really belong in the X-Frame-Options section. 103.1.70.144 (talk) 03:39, 30 July 2013 (UTC)

Better example needed[edit]

The current “example” doesn't explain the attack. It lacks an exact description of the roles involved (attacker, innocent webpage, clicker), and a detailed list of actions that each of them has to do to make this possible.

  • Which types of web sites are vulnerable at all? (I think only those that allow third oarty content to be displayed.)
  • How can a web site defend against that attack?

--85.183.233.105 (talk) 05:44, 19 September 2013 (UTC)