ThingWorx ClickJack Support
Clickjacking is when an attacker uses a frame to display a site and applies one or more invisible layers over the site, tricking the user into thinking they are clicking on one thing when they are actually clicking on the something in the invisible layer. A defense against Clickjacking utilizes response headers from the server that tell the browser whether it is ok to frame the page. Because of compliance differences in browsers, two different headers must be used to indicate domains allowed to frame. These two headers (X-Frame-Options and Content-Security-Policy) are described below. ThingWorx utilizes both of these headers, enabling the administrator to configure to disallow all framing, only allow framing from its own origin, or allow framing from a specific domain.
Header Descriptions
The two headers used to combat Clickjacking are X-Frame-Options and Content-Security-Policy.
The Content Security Policy Level 2, which contains
frame-ancestors, is supported by the current version of all browsers except Internet Explorer, Edge, Opera Mini, and only partially supported as of Firefox 52. A full list can be found at:
http://caniuse.com/#feat=contentsecuritypolicy2. The
X-Frame-Options Allow-From header is supported in Internet Explorer as of version 8 and Firefox as of version 18, but is not supported by Chrome, Safari, or Opera. A list of supported browsers can be found at:
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations
X-Frame-Options
• DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.
• ALLOW-FROM http://example.com - The page can only be displayed in a frame on the specified origin.
Content-security-policy
• frame-ancestors ‘none’ - Prevents loading resources in a frame from any origin.
• frame-ancestors ‘self’ - Allows loading resources in a frame but only from the same origin.
• frame-ancestors domain1.com domain2.com - Allows loading resources in a frame but only from domains in the given list.
|
To improve the security posture of ThingWorx customers, Content Security Policy (CSP) is added to the ThingWorx Platform beginning with ThingWorx 9.3.15, 9.4.5, and 9.5.1. For more information, see Content Security Policy in the ThingWorx Platform Help Center.
|
ThingWorx Support
Configuration
For information on configuring ClickjackFilter when Content Security Policy Filter is turned on, see
Content Security Policy in the
ThingWorx Platform Help Center.
For information on configuring ClickjackFilter when Content Security Policy Filter is turned off, see
Allowing Embedded Mashups in iFrames in the
ThingWorx Platform Help Center.