Here is the test page. I have a page with an iFrame that contains another HTML page on my site.
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is not vulnerable to clickjacking.</p>
<iframe src="../page1" width="500" height="500" id="iframe"></iframe>
</body>
</html>
Here is the script I have on page1.html
<script type="text/javascript">
console.log(window.location != window.parent.location);
if(window.location != window.parent.location){
console.log("iFrame Detected");
window.location.replace("redirectMessage.html");
window.location.href = "redirectMessage.html";
console.log("after redirect");
}
else {
// no iframe
}
</script>
Goal: when I go to ClickJack Test Page, detect an iframe and redirect the page within the iFrame to redirectMessage.html
I am getting iFrame Detected
and after redirect
in the console
So I know my IF statement is being reached.
But the page within the iFrame is not redirected.
You should not try to figure out whether your page is being loaded inside an iframe since the attacker could simply use the sandbox attribute on the iframe and that would stop your script making your (login) page vulnerable to clickjacking.
Instead the backend of your website should return a X-FRAME-OPTIONS set to DENY in order to block browsers to render your website in iframes.
See here for more details: https://steemit.com/security/@gaottantacinque/steemit-security-check-iframe-tricks
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.