About Clickjacking Protection
Clickjacking is a malicious technique of tricking a web user into performing an unwanted action unintentionally by rendering invisible page elements like hyperlinks underneath legitimate clickable content. These attacks are done to reveal confidential and sensitive information or to gain control of the victim’s system.
Clickjacking Protection is a self-service feature. It provides an option to configure the desired domains that are allowed to embed the applications like Cobrowse, Docked Chat, Self-Service portal, etc, in an iframe.
There are various options that allow and limit the use of the application in an iframe:
-
Allow framing by same origin only: This option is enabled by default. With this option selected, the users can embed applications like Cobrowse, Docked Chat and Self-Service portal on the same origin. For example, consider the two URL’s: http://xyz.services.com:81/pag1.html and http://xyz.services.com:81/page2.html . These two URL’s have the same origin because their host (xyz.services.com) is the same and have the same protocol (http) and the same port (80). Docked Chat, Cobrowse, Self-Service portals can be embedded into an iframe on these two URLs with the same origin option.
-
Allow framing by any page: If this option is selected, there is no protection for clickjacking. Applications like Cobrowse, Docked Chat and Self-Service portal can be embedded into iframes on any same origin and external domain pages.
-
Don’t allow framing by any page: This is the most secure option. If this option is selected, then applications Cobrowse, Docked Chat and Self-Service portals cannot be embedded into any pages.
-
Allow framing of site from external domains and by same origin: This option allows users to add recognized domains which can embed the applications. If he adds www.test.xyz.services.com to the Allowed Websites list, then the applications like docked chat can be embedded in the iframe of this recognized website.
Related Topics