Highlighted

ClickJacking With IIS

Participant ,
Apr 13, 2015

Copy link to clipboard

Copied

Are ColdFusion's clickjacking filter options (Clickjacking issue - adding multiple url patterns in a single filter mapping) needed if using Internet Information Services' (IIS) HTTP Response Header option setting X-Frame-Options?  Is ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation?

Clickjacking is a client side event so "ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation" would not be a issue -- assuming any of this is going on, which I cannot fathom how it would be. You can set the X-Frame-Options header value in either IIS or your CF application using CFHeader. If both IIS and CF sets the value, I'm fairly certain the client will receive two header entries and while ugly, as long as they don't conflict with each other I think you're fine. Does that answer your question?

Views

710

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ClickJacking With IIS

Participant ,
Apr 13, 2015

Copy link to clipboard

Copied

Are ColdFusion's clickjacking filter options (Clickjacking issue - adding multiple url patterns in a single filter mapping) needed if using Internet Information Services' (IIS) HTTP Response Header option setting X-Frame-Options?  Is ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation?

Clickjacking is a client side event so "ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation" would not be a issue -- assuming any of this is going on, which I cannot fathom how it would be. You can set the X-Frame-Options header value in either IIS or your CF application using CFHeader. If both IIS and CF sets the value, I'm fairly certain the client will receive two header entries and while ugly, as long as they don't conflict with each other I think you're fine. Does that answer your question?

Views

711

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Apr 13, 2015 0
Advocate ,
Apr 15, 2015

Copy link to clipboard

Copied

Clickjacking is a client side event so "ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation" would not be a issue -- assuming any of this is going on, which I cannot fathom how it would be. You can set the X-Frame-Options header value in either IIS or your CF application using CFHeader. If both IIS and CF sets the value, I'm fairly certain the client will receive two header entries and while ugly, as long as they don't conflict with each other I think you're fine. Does that answer your question?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 15, 2015 0
Participant ,
Apr 15, 2015

Copy link to clipboard

Copied

Is my understanding of your response correct?  Web site sends a directive to the client (browser) declaring client should not accept content into IFRAME from anywhere else than the host site?  It is up to the client (browser) to handle rejecting any "foreign" (URL path) information within the IFRAME?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 15, 2015 0
Advocate ,
Apr 15, 2015

Copy link to clipboard

Copied

Correct.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 15, 2015 0
Advocate ,
Apr 15, 2015

Copy link to clipboard

Copied

X-Frame-Options: DENY is the easiest and most widely used option to prevent clickjacking but there are other client side scripting options as well. See Clickjacking - OWASP

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 15, 2015 0
Participant ,
Apr 15, 2015

Copy link to clipboard

Copied

Then setting the web server to issue the directive is a more complete method.  It covers both ColdFusion applications in addition to any other web site (/application) pages.

Thanks for enlightening me on this web environment process!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 15, 2015 0