Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability

Question

My organization has scanned our code using Checkmarx and the low severity issue Potential Clickjacking on Legacy Browsers was detected due to a JavaScript function firing on an HTML image click event.

We have implemented the following suggested fixes:

• Define and implement a Content Security Policy (CSP) on the server side, including a frame-ancestors directive (frame-ancestors 'self')

• "X-Frame-Options" header set to "SAMEORIGIN"

• Legacy browser support is needed so added a frame-busting script similar to the following example in the Checkmarx documentation:

<html>
    <head>
        <style> html {display : none; } </style>
        <script>
            if ( self === top ) {
                document.documentElement.style.display = 'block';
            }
            else {
                top.location = self.location;
            }
        </script>
    </head>
    <body>
        <button onclick="clicked();">Click here if you love ducks</button>
    </body>
</html>

Now Checkmarx flags the file for the high severity issue Client DOM XSS due to the line:

top.location = self.location;

that was recommended to be added for legacy click jack protection.

So if we implement the Checkmarx suggested fix on a low severity issue (Potential Clickjacking on Legacy Browsers), we introduce a high severity issue (Client DOM XSS).

What's the proper course of action here?

Answer 1

To reduce the risk of a DOM-based cross-site scripting vulnerability in your web application, URL encode the self.location

top.location = encodeURI(self.location);