Scribd
Upload
11 views2 pages

Clickjacking Protection

Clickjacking Protection

Uploaded by

venulaca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
11 views2 pages

Clickjacking Protection

Clickjacking Protection

Uploaded by

venulaca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Clickjacking Protection

Clickjacking (or UI redressing) is a type of attack


that tricks the user into triggering actions within an
application by hijacking mouse clicks or other user
inputs.
In the simplest attack scenario, an invisible iFrame
containing the attacked page is positioned over an
attacker-controlled page. The user thinks the UI is
original and is unaware of the actual actions
triggered on the invisible page in the frame. To
protect against this attack, you need to control
whether to render your application within a frame
and which pages are allowed.
The allowlist service is an ABAP-wide service and
supports HTML-based frameworks to implement
protections. By default, clickjacking protection is
active.
As soon as the protection is enabled, a special
check is performed every time an application is
rendered. If the application is embedded into
another one, the check determines whether the
other application is secure. If the check fails, the
embedded application is not framed. An error
message appears.
An application is considered secure if one of the
following applies:
 The application itself is not embedded in

another frame
 The host of the application is part of the same

domain as the embedding applications (same


origin policy).
 The host of the application is part of the

allowlist. For multi-domain scenarios, you have


to make sure that the host name of the
application in which your application is
embedded, is part of the allowlist.

You might also like