-- Apr 26 In-Class Exercise
CODE:
<!DOCTYPE html>
<html>
<head>
<title>ICE 10 | April 26, 2017</title>
</head>
<body>
<iframe src="http://www.cs.sjsu.edu/faculty/pollett/174.1.17s/clickjack.html">
<p>Your browser does not support iframes.</p>
</iframe>
</body>
</html>
Observation:
iFrame content is empty.
Console:
Refused to display 'http://www.cs.sjsu.edu/faculty/pollett/174.1.17s/clickjack.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE
Explanation:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. The added security is only provided if the user accessing the document is using a browser, Chrome in my case, supporting X-Frame-Options. If you specify SAMEORIGIN directive, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
(
Edited: 2017-04-26)
'''CODE:'''
<pre>
<!DOCTYPE html>
<html>
<head>
<title>ICE 10 | April 26, 2017</title>
</head>
<body>
<iframe src="http://www.cs.sjsu.edu/faculty/pollett/174.1.17s/clickjack.html">
<p>Your browser does not support iframes.</p>
</iframe>
</body>
</html>
</pre>
'''Observation:'''
iFrame content is empty.
'''Console:'''
Refused to display 'http://www.cs.sjsu.edu/faculty/pollett/174.1.17s/clickjack.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE
'''Explanation:'''
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. The added security is only provided if the user accessing the document is using a browser, Chrome in my case, supporting X-Frame-Options. If you specify SAMEORIGIN directive, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.