[SECURITY] Clickjecking Attack

Clickjecking Attack 中文譯作點擊劫持, 當user click入某hyperlink時, 其實透過JavaScript觸發其他event, 例如call一個display=none 的iframe, 讓browser 在user不知情下執行了潛在惡意的code, 從而有機會竊取個人資料.

現在, Web developer 可以設定 HTTP header X-Frame-Options 去決定該頁是否顯示於iframe 內. 例子:
X-Frame-Options: DENY // 禁止任何iframe 內容;
X-Frame-Options: SAMEORIGIN // 只限同一domain 內容;
X-Frame-Options: ALLOW-FROM http://www.google.com/ // 容許網站內容;

About C.H. Ling 262 Articles
a .net / Java developer from Hong Kong and currently located in United Kingdom. Thanks for Google because it solve many technical problems so I build this blog as return. Besides coding and trying advance technology, hiking and traveling is other favorite to me, so I will write down something what I see and what I feel during it. Happy reading!!!

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.