Copy link to clipboard
Copied
Are ColdFusion's clickjacking filter options (Clickjacking issue - adding multiple url patterns in a single filter mapping) needed if using Internet Information Services' (IIS) HTTP Response Header option setting X-Frame-Options? Is ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation?
Clickjacking is a client side event so "ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation" would not be a issue -- assuming any of this is going on, which I cannot fathom how it would be. You can set the X-Frame-Options header value in either IIS or your CF application using CFHeader. If both IIS and CF sets the value, I'm fairly certain the client will receive two header entries and while ugly, as long as they don't conflict with
...Copy link to clipboard
Copied
Clickjacking is a client side event so "ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation" would not be a issue -- assuming any of this is going on, which I cannot fathom how it would be. You can set the X-Frame-Options header value in either IIS or your CF application using CFHeader. If both IIS and CF sets the value, I'm fairly certain the client will receive two header entries and while ugly, as long as they don't conflict with each other I think you're fine. Does that answer your question?
Copy link to clipboard
Copied
Is my understanding of your response correct? Web site sends a directive to the client (browser) declaring client should not accept content into IFRAME from anywhere else than the host site? It is up to the client (browser) to handle rejecting any "foreign" (URL path) information within the IFRAME?
Copy link to clipboard
Copied
Correct.
Copy link to clipboard
Copied
X-Frame-Options: DENY is the easiest and most widely used option to prevent clickjacking but there are other client side scripting options as well. See Clickjacking - OWASP
Copy link to clipboard
Copied
Then setting the web server to issue the directive is a more complete method. It covers both ColdFusion applications in addition to any other web site (/application) pages.
Thanks for enlightening me on this web environment process!