sound Posted May 12, 2018 Posted May 12, 2018 anyone know if there are any drawbacks with adding this to an invision site ? Keep malicious people from integrating your pages into their websites. Clickjacking explained This kind of attack happens when your page gets integrated with a malicious website via <frame> or <iframe> tags. By doing this, attackers can persuade users that they are on your own page when they are not. The unsuspecting user may enter personal information that is visible on and thus vulnerable to the malicious website. To avoid this, always indicate which domains have permission to integrate your pages. How to prevent clickjacking? Configure a "X-Frame-Options" HTTP header. Configure your server so the main resource response includes the "X-Frame-Options" HTTP header. Three values may be defined: DENY to prevent any frame or iframe from integrating the page; SAMEORIGIN to authorize only frames from the same domain name; ALLOW-FROM uri to indicate the domains allowed to integrate a page into frame (however is not compatible with some browsers)
bfarber Posted May 14, 2018 Posted May 14, 2018 You can send the header with SAMEORIGIN typically without issue. We do have some instances where a site may validly be included in an iframe which is why we can't set the header out of the box.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.