CODEWITHSUNDEEP
javascriptclickjacking
smoes
smoes

Reputation: 601

Best practice click jacking prevention: What if javascript is disabled?

I am currently looking into protecting a website against clickjacking. German Wikipedia gives the following best practice example to do so:

<style> html{display : none ; } </style>
<script>
    if( self == top ) {
       document.documentElement.style.display = 'block' ; 
    } else {
       top.location = self.location ; 
    }
</script>

I, however, was wondering, what if the client has javascript disabled? Then, he will NOT have the page displayed. We have the requirement to ship a fully functional none-javascript version of the app.

Any recommendation to achieve that?

Upvotes: 0

Views: 517

Answers (2)

Zahra Badri
Zahra Badri

Reputation: 2024

You can use this from prevent clickjacking :

    if (window.top !== window.self) {
    document.documentElement.style.display = 'none';
}

Upvotes: 0

Bergi
Bergi

Reputation: 664144

You can use

<script>
    if (self !== top) {
       document.documentElement.style.display = 'none';
       top.location = self.location;
    }
</script>

to still hide the page in case the navigation attempt is successfully attacked. You could also show a message along the lines of self.location.href + " cannot be displayed in a frame." instead.

Of course, this will not prevent your page from being shown in a frame when JavaScript is disabled (maybe not even globally but just in your frame), so you should always send the respective X-Frame-Options header alongside.

Upvotes: 2

Related Questions