Johnathan Au
Reputation: 5362
Alternative to X-Frame-Options for IE7
I have been trying to make my application more secure by adding various features and one of them was to prevent click jacking. I have added the X-frame-options successfully to the response headers but after doing more research I have noticed that this options is not available in IE7. As such, what can I do for IE7 instead?
Upvotes: 3
Views: 535
Answers (1)
Alkema
Reputation: 109
Best-available solution at the moment is to use JavaScript to break the frame. Of course it will not work if JavaScript is not enabled.
From OWASP:
First apply an ID to the style element itself:
<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
Upvotes: 1
Related Questions
- X-Frame-Options: ALLOW-FROM in firefox and chrome
- X-Frame-Options on Apache
- X-Frame-Options Allow-From multiple domains
- tomcat X-Frame-Options or antiClickJackingEnabled
- Respect X-Frame-Options with HTTP redirect
- X-Frames-Options in the meta tag
- Javascript frame killer that still allows frames from own domain?
- x-frame-option SAMEORIGIN and clickjacking in ASP.NET
- Workaround for X-Frame-Options:deny or sameorgin?
- To stop ClickJacking, which one is more secure? breaking out of iframe vs X-Frame-Options to Deny or Same Origin