Prevent Clickjacking on Your Site with a Metatag

Clickjacking is one of those nightmare situtations for your customers. And the attack on your Web site is one of those common attacks. A metatag can help make the Cross Site Request Forgery (CSRF) attack ineffective.

The Internet Explorer 8 team has been working on how to effectively mintigate the vulnerability. In a blog posting, IE8 Security Part VII: ClickJacking Defenses, the team describes the issue and provides a solution for ISVs. In the posting the team says, "ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction. A successful ClickJacking attack could circumvent CSRF protections that attempt to confirm transactions with the user."

The posting describes a solution adopted by Internet Explorer 8.

Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive.

When rendering is blocked by the X-FRAME-OPTIONS policy, a local error page is presented that explains the restriction and provides a link which opens the frame in a new window. When displayed in a new window rather than a sub-frame, content is no longer subject to ClickJacking

Adding X-FRAME-OPTIONS to your header you can immediately help mitigate web application attacks for IE8 users. For more information, see IE8 Security Part VII: ClickJacking Defenses.