To stop ClickJacking, which one is more secure? breaking out of iframe vs X-Frame-Options to Deny or Same Origin

Question

To prevent clickjacking from happenning for your website, I have noticed several different methods. Some use javascript to have your website break out of iframe, the other soltution is to set the X-FRAME-OPTIONS header to DENY or SAMEORIGIN. Which one of the 2 method I mentioned do you think is more secure? Here is a sample page I am using to test clickjacking.

<HTML>
<BODY>
<H1>Clickjacking Test</H1>
<IFRAME SRC="http://www.google.com/" HEIGHT="500" WIDTH="500"></IFRAME>
</BODY>
</HTML>

With iframe break code you will see Firefox and Safari will be slow to get out of Iframe, meaning you will see Clickjacking test and then it will break out of that iframe and show the original website. With IE and Chrome it is fast that not noticeable. But with X-Frame-Optiions solution you simply do not see your website at all. It will be blocked. Like with google in the above example. So my questions is which one of the solution better? Blocking it completely or breaking out of iframe(slow in 2 browsers)

Answer 1

In my experience, setting X-Frame-Options (XFO) rules works much better than breaking out of iframes. When it comes to rules, it really depends on if you absolutely have to use iframes. If you can remove iframes from your website completely, using the DENY rule would be best; however, if you still have iframes in your site, use the SAMEORIGIN rules.

The differences between the available rules are outlined below (quoted from IETF):

1. DENY A browser receiving content with this header MUST NOT display this content in any frame.

2. SAMEORIGIN A browser receiving content with this header MUST NOT display this content in any frame from a page of different origin than the content itself. If a browser or plugin can not reliably determine whether the origin of the content and the frame have the same origin, this MUST be treated as "DENY". [TBD]current implementations do not display if the origin of the top-level-browsing-context is different than the origin of the page containing the X-FRAME-OPTIONS header.

3. ALLOW-FROM (followed by a URI of trusted origins) A browser receiving content with this header MUST NOT display this content in any frame from a page of different origin than the listed origin. While this can expose the page to risks by the trusted origin, in some cases it may be necessary to use content from other domains. For example: X-FRAME-OPTIONS: ALLOW-FROM https://www.domain.com/

I would also suggest reading, Clickjack attack – the hidden threat right in front of you by Troy Hunt.

Hope this helps.

Answer 2

X-Frame-Options is the ‘proper’ solution, that solves the problem by completely blocking framing. It is the better method, but there are still browsers out that that don't support it (most notably IE<8). So to cover those cases you need a JavaScript solution as well.

There are two problems with JavaScript framebusters:

Firstly: most of them try to ‘break out’ of the frame, replacing the main window with their document. However the attacker document in the parent window can easily resist being navigated and though there are workarounds, they can [always themselves be circumvented]Frame Buster Buster ... buster code needed). If your script detects you have been framed, the better solution from a security point of view is to make the whole page unusable, for example by settings document.body.innerHTML to an error message.

The parent-navigation approach happens because framebusters originated as a means for webmasters to escape from unwanted framing from sites like search engines. It wasn't a security issue for them, and they didn't want to lose any traffic by barring access, so they chose a solution that doesn't provide security.

Secondly: framebusters can be prevented from running, by running the frame in an iframe with IE's security="restricted" attribute, or through false-positive attacks on XSS filters, or just because the user has JS turned off. You can get around this by having the page only work when JavaScript is enabled, but that has obvious negative accessibility impact.