Clickjacking is when an attacker uses a frame to display a site and applies one or more invisible layers over the site, tricking the user into thinking they are clicking on one thing when they are actually clicking on the something in the invisible layer. A defense against Clickjacking utilizes response headers from the server that tell the browser whether it is ok to frame the page. Because of compliance differences in browsers, two different headers must be used to indicate domains allowed to frame. These two headers (X-Frame-Options and Content-Security-Policy) are described below. ThingWorx utilizes both of these headers, enabling the administrator to configure to disallow all framing, only allow framing from its own origin, or allow framing from a specific domain.

The two headers used to combat Clickjacking are X-Frame-Options and Content-Security-Policy.

The Content Security Policy Level 2, which contains frame-ancestors, is supported by the current version of all browsers except Internet Explorer, Edge, Opera Mini, and only partially supported as of Firefox 52. A full list can be found at: http://caniuse.com/#feat=contentsecuritypolicy2. The X-Frame-Options Allow-From header is supported in Internet Explorer as of version 8 and Firefox as of version 18, but is not supported by Chrome, Safari, or Opera. A list of supported browsers can be found at: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations

For information on configuring ClickjackFilter when Content Security Policy Filter is turned on, see Content Security Policy in the ThingWorx Platform Help Center.

For information on configuring ClickjackFilter when Content Security Policy Filter is turned off, see Allowing Embedded Mashups in iFrames in the ThingWorx Platform Help Center.