Security to iframe widget from clickjacking or csrf attacks - csrf

I am developing a widget which is to be hosted on a server say www.exampleserver.com.
Our client will embed this iframe to his site say www.validclient.com.
Now on embedding this widget a sms will be sent to the client's customer.
Now I was thinking about the Clickjacking By double framing in which a attcker may embed our client url in iframe. Now widget server found that request is from valid client and server shoots a SMS.
valid client code:
<html>
// some line of code
<iframe src="www.exampleserver.com" />
// some line of code
</html>
Attcker Code
<html>
// some line of code
<iframe src="www.validclient.com" />
// some line of code
</html>
So I just want my server url content to be rendered on clients iframe not on attacker iframe. For this security I have used:
Content-Security-Policy: frame-ancestors http://www.validclient.com
AND
X-Frame-Options: ALLOW-FROM http://www.validclient.com
This is amazing it blocks our URL on attackers iframe.
But this is not supported by internet explorer and some other browsers.
Please tell me any other approach for prevention of this attack which must be universal for all browser.
Thanks in advance. Hoping for a positive replies.

Related

How to redirect a google blog page....unless it is being contained in an iframe?

So I have a google blog page which I would like to redirect to my page which I have an iframe of my google blog page. When I put the following code in, it redirects to my page containing the iframe:
<head>
<meta http-equiv="refresh" content="0;url=//mysite.com"/>
However obviously, in the iframe it continuously redirects and just fills up the page with the iterating header.
I found many ways to test if a page is being loaded in a browser or an iframe (such as this solution: How to identify if a webpage is being loaded inside an iframe or directly into the browser window?) however they all use javascript or script tags which Blogger does not seem to support (it refuses to save changes). Is there a way to do this test just using HTML?
No. But the web server can detect it via the existence of a referrer string. Here is one way to do it in an Apache .htaccess file:
SetEnvIf Referer ^http remote
<FilesMatch "\.(html|xml)">
order deny,allow
deny from env=remote
allow from all
</FilesMatch>
References
Testing for SSI Injection (OTG-INPVAL-009) - OWASP

Disadvantage of redirecting to error page on javascript disabled

I searched on the web and I didn't find any website using this technique. When javascript is disabled or doesn't supported by the browser, all those website are showing small boxes of error above their main content while no one is using redirecting to error page technique. I am using following code in my site to do this
<noscript>
Javascript is disabled.
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.wrangle.in/jserror.aspx">
</noscript>
But as my research resulted in less usage of this feature on www, so I want to know is there any disadvantage of this technique due to which these websites are not using this?

Chrome/IE doesn't request any resource across non-https in Facebook application

There is a problem with Facebook applications/page tabs and Chrome/Internet Explorer users that have checked "secure browsing" setting in their profile but not only.
Problem rises when facebook opens our app by https protocol. Let's assume that we have app and all our resourcess accessbile by https. When user visits our app, everything working but not iframe/JS widgets, provided by external sites without SSL like some counters, instant messaging widget etc.
What to do if the page where widget comes from doesn't let us to generate ssl-version code, and also just changing http to https doesn't work because of lack of certificates/ssl enabled etc ?
TripAdvisor widget
The answer is : replace this script tag with TripAdvisor script
This :
<script src="http://www.jscache.com/wejs?wtype=sswidecollectreview&uniq=612&locationId=1480219&lang=en_US&border=true"></script>
To This tag from TripAdvisor Script
<script src="https://www.tripadvisor.com/WidgetEmbed-sswidecollectreview?uniq=831&locationId=308116&border=true&lang=en_US"></script>
and add [ S ] character to link for images [https] like this :
<a target="_blank" href="http://www.tripadvisor.com/"><img src="https://www.tripadvisor.com/img/cdsi/img2/branding/medium-logo-12097-2.png" alt="TripAdvisor"/></a>
To This :
<a target="_blank" href="http://www.tripadvisor.com/"><img src="https://www.tripadvisor.com/img/cdsi/img2/branding/medium-logo-12097-2.png" alt="TripAdvisor"/></a>
its work ...
Basically what the "padlock"/SSL indicator in the browser indicates is that the whole page is secure.
That means, no insecure content is included on the page without explicit warning by the browser that that is the case.
There may be browser specific workarounds (aka bugs), but relying on them for your page to work is not a good idea.
The best "workaround" is likely to just contact the people hosting the widgets and inform them about your problem, or if possible just plain hosting the widgets on your own secure site.

301/302 with document body showing 'click here if your browser doesn't redirect you' anchor

We will be implementing a tiny document body with all our 301 and 302 responses.
They will contain a small bit of html with an anchor pointing towards the URL where the user should be redirected.
Are there any pitfalls or things we should know about when doing this or is it as simple as including the html in the document body when sending out a 'location' header?
If browser will see 301/302 HTTP result code it will IGNORE document/response body and will do instant redirect to the URL specified in Location: response header.
But yes -- you can display such page and do redirect to a new URL .. but this will be the same as normal click on a link (and not 301/302 redirect in any means) and therefore is not good for SEO purposes. If interested -- this is how it can be done:
When user hits such page, show him/her your redirect message/page. In that page such redirect can be achieved in 2 ways:
Using JavaScript -- window.location = "http://www.example.com/new-url". All what you need to do is to execute this code 10 seconds after page is loaded -- for that use setTimeout() functionality.
Without JavaScript (preferred method as it will work even if JavaScript is disabled or not available) using <meta http-equiv="refresh" header line:
<meta http-equiv="refresh" content="10; url=http://www.example.com/new-url">

Facebook Secure Canvas URL Requirement and Legacy Applications

With Facebook requiring a secure URL for Canvas applications on October 1st, what will happen to legacy applications that have no URL specified for the Secure Canvas URL? Will they continue to load over HTTP and fail over HTTPS?
Suppose an application has URLs specified for the Canvas, Page Tab, and Secure Page Tab, but no URL specified for the Secure Canvas.. will these applications continue to function, or will they be blocked entirely because they lack a secure URL for the Canvas?
use simple bit.ly address in your canvas url.... it works
Well the applications without secure connection (https) are still working. Today is October 05 and I'm not seeing any sort of change in my apps. They are working nicely and people have access.
ye unfortunately the entire app will be blocked, well that's what im reading around the web anyways.
AFAIK you need your secure URL to have some location URL for it to function.
And now i see Facebook has added a message for users to enable secure browsing when u login. so even more so no to get a secure link than ever.
If you are struggling try out http://social-server.com. Instead of buying a SSL certificate it does the same thing for free and its instant!
Applications will enter a new 'disabled' mode, similar to sandbox, until Secure Callback URL is set.
Come October 1st as the dev pages states on facebook you will be required to have a secure url. I just picked up a cheap SSL cert from godaddy for like 16 bucks for a year. i do not know if they still have the deal going on, but it definitively worth checking. Once the cert is installed on your server, you do not need to migrate anything, the whole process took like 2 hours most of which was waiting on godaddy.
Just researching this issue; I don't have an ssl cert and when I try to access my app as a Facebook app I get:
I think no ssl is the cause so looks like i need to buy one :(
I have come up with an interesting hack for this problem.
You can create a HTML file that is accessible over HTTPS that just redirects to your webpage. For example, you can use dropbox. Since Facebook loads your secure canvas URL page in an iframe, your code needs to redirect the top page. Something like this.
<html>
<head>
<script>
function onLoad() {
window.top.location.href=’<your website>’;
}
</script>
</head>
<body onload=”onLoad()”>
<p>Please wait while you are being redirected to <your website name>…</p>
</body>
</html>
And provide this link as the secure canvas URL. I blogged about this in more detail - http://blog.almabase.com/post/84579042935/interesting-hack-for-facebook-secure-canvas-url