When the first release candidate for Internet Explorer 8 was released, the accompanying press release mentioned it had the ability to protect users from clickjacking attacks “out of the box”. and that this was possible “without impacting compatibility”. Microsoft has just provided some additional details that show how this protection works; for now, it looks like a fairly ineffective method, since it requires webmasters to actually change their sites.



How dangerous is clickjacking?

To understand the proposed solutions, it’s important to know how clickjacking, also know as “UI redressing”, actually works. ThreatExpert has a nice graphic showing the attack; basically, you include the attacked site in your own via a frame, wich is either made transparent or otherwise hidden. If you happen to be logged on, for example in your bank’s payment system or your Amazon account with one-click-shopping enabled, an attacker can make the site shown to you look like a benign site, while making clicks on one of the buttons go through to the frame that displays your bank or a shopping site. 

To give you a practical example: In the example below, you can order a free avatar:


But what if the “check out” button was coming from this frame?


What protection does IE8 offer?

The fix is actually very simple: it lets website owners include an extra tag in their pages that tells Internet Explorer the page is not supposed to be included in a frame. It’s called X-FRAME-OPTIONS; a value of DENY means the page should never be opened in a frame, and SAMEORIGIN only allows it to be framed within pages from the same site. Any other use will show a warning, and a link that opens the page in a new screen.


Sounds good, what are other browsers doing?

Actually, other browsers have had a remarkably similar solution for a while now; all it takes is including this piece of javascript in your page:

<script type="text/javascript">if (top!=self) top.location.href=self.location.href;</script>

This works in most browsers, with Internet Explorer being a notable exception. So by combining this with the X-FRAME-OPTIONS tag, your site has just become harder to use in a clickjacking attempt. Neither of these methods protect against plugin-based clickjacking, such as attempts using Flash plugins, but it’s a start.

So what’s next?

To start with the good news: there is a better solution for Firefox users. It’s called ClearClick, and it’s been a part of the NoScript plugin for Firefox for months. This protects against most forms of clickjacking, including attempts using some plugins and clickjacking attempts against sites that don’t use the X-FRAME-OPTIONS or the javascript mentioned above. 

Additionally, there is a request to include the X-FRAME-OPTIONS support into Firefox, and I’m sure Webkit (and thus Safari and Chrome) will follow suite if this request is approved. That would make this a de facto standard, making it easier for websites to protect against these attacks.