|WikiProject Computer Security / Computing||(Rated Start-class, Mid-importance)|
|WikiProject Computing||(Rated Start-class)|
|Text from this version of Likejacking was copied or moved into Clickjacking#Likejacking with this edit on 16:16, 16 February 2012. The former page's history now serves to provide attribution for that content in the latter page, and it must not be deleted so long as the latter page exists. The former page's talk page can be accessed at Talk:Likejacking.|
What is this all about?
- I also agree, and have added an expand tag hoping that someone who knows can add more details. My html comment was "expand tagged because I request more detail for an intelligent layman: what it is or does, what it looks like and actual examples". I came here because my installed NoScript informed me of a potential clickjacking attempt from a Lifehacker.com page on "mouseless navigation". I was using my keyboard tab button to navigate to a digg.com link (I do *not* whitelist digg.com). This was new to me. -84user (talk) 15:56, 6 November 2008 (UTC) fixed sp and link 84user (talk) 15:58, 6 November 2008 (UTC)
- I just added some more information on clickjacking, I am new to editing the Wiki so pardon me in case of any small issues related to editing formats. I did a study of clickjacking to give a presentation in class, so put a simple description and information i gathered from that study. Tarunbk (talk) 00:56, 14 December 2008 (UTC)
Firefox and Internet explorer are mentioned, but no other bowser. What about Opera, Safari, and Chrome? —Preceding unsigned comment added by Rodolfo Hermans (talk • contribs) 15:22, 29 January 2009 (UTC)
New research paper by Stanford university
X-FRAME-OPTIONS, X-Frame-Options or x-frame-options?
I know HTTP headers are defined as being case-insensitive, but the de facto standard (as in RFC 2616) is to used mixed case for header names with a capital letter at the start of each word, and lower-case tokens for the contents of these headers (e.g, "Cache-Control: private"). The same applies to non-standard headers such as X-Forwarded-For.
I should also point out that although Microsoft certainly qualifies as a reliable source of information about the X-Frame-Options header, it is not a reliable source of information on how this header should be capitalized.
For example, the MSDN blog post on ClickJacking defences defines the header as X-FRAME-OPTIONS, with possible values of DENY and SAMEORIGIN. At the end of this blog post, there is a link to a page by the same author, called Combating ClickJacking With X-Frame-Options. The author reverts to the all-capitals style in the remainder of this article, but links to another page (same author again) demonstrating some test cases. The embedded frames in this page emit x-frame-options headers (all lower case):
On X-Frame-Options being "standardized"
The section on X-Frame-Options mentions that it has been "officially standardized" by the IETF. However, RFC 7034 explicitly states:
This document is not an Internet Standards Track specification; it is published for informational purposes.
Calling X-Frame-Options a "standard" thus seems misleading. It might be better to say that the header has been documented in the RFC. — Preceding unsigned comment added by Denis Washington (talk • contribs) 09:37, 3 July 2014 (UTC)
Merge of Likejacking
- Merge same phenomenon, just a specific site and element. Would be more useful to include in main page. Widefox (talk) 09:04, 30 January 2012 (UTC)
- Agree And likejacking is a stub article and is better suited with the main topic. ChadH (talk) 17:17, 10 February 2012 (UTC)
- Strongly Agree. It's a click. Just because Facebook calls a click a "like" and Reddit calls a click an "upvote" that does not change the basic fact that a click is being hijacked. --Guy Macon (talk) 18:55, 10 February 2012 (UTC)
Done ChadH (talk) 16:33, 16 February 2012 (UTC) References 11, 12, and 14 in the "likejacking" section are broken links. Is this the right place to mention it? I suspect it happened in the merge. --Chcurtis (talk) 14:11, 12 April 2013 (UTC)
I just turned that page into a redirect to this one. The following references were removed in the process:
- TapJacking Proof of Concept
- Tapjacking: A Recent Vulnerability for Smart Phones
- Android Touch-Event Hijacking
How does CSP help?
Better example needed
The current “example” doesn't explain the attack. It lacks an exact description of the roles involved (attacker, innocent webpage, clicker), and a detailed list of actions that each of them has to do to make this possible.
- Which types of web sites are vulnerable at all? (I think only those that allow third oarty content to be displayed.)
- How can a web site defend against that attack?