Security/CSP/ClickJackingModule
Overview
By tricking the user into clicking on a concealed link, clickjacking can result in unintentional actions being executed on the user's behalf. This module tries to prevent against such an attack.
Dependencies
This module depends on the BaseModule.
Threat Model
The ClickjackingModule is concerned with defending against an attacker with the following abilities:
- The attacker owns and operates a malicious web site (e.g., attacker.com).
- The attacker can cause the user to visit the attacker's web page.
We further assume the web developer wishes to prevent the attacker from achieving the following goals:
- The attacker must not be able to make the user unintentionally click on a link on the developer's website.
Syntax
The ClickjackingModule introduces the following directives:
directive = "frame-ancestors"
Semantics
The UA MUST ensure that ALL ancestors of the document are in the origin list. An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are ancestors of C. If A embeds both B and C, B is not an ancestor of C, but A still is. [1]
Open Issues
- The threat and the solution seem to be disconnected. If the goal is to protect against unintentional clicks, then maybe a fine grained display separation requirement / click confirmation dialog requirement (like ClearClick) should be made. If the solution is this, then the goal should be rewritten as 'control resource embedding'.
- Another possible ClickJacking scenario is if the website is embedding another iframe - the embedded frame could cover up some area of the site. (http://www.cs.berkeley.edu/~devdatta/1.html for a trivial e.g). Currently this is not in the threat model (nor is it explicitly outside the threat model). We should figure out what we want to do in this case.
[1] https://wiki.mozilla.org/Security/CSP/Spec#frame-ancestors