We have an android application that's iframe-ing our website into their application. However to prevent click jacking we have the following directive in our proxy configs.
Header append X-FRAME-OPTIONS "SAMEORIGIN"
This is a very common Cross-Origin Resource Sharing strategy.
Unfortunately the Webview in an android browser has the origin as file:// which is different than the domain we use. This leads to the error refused to display x-frame-options set to sameorigin.
What strategies (either on the proxy or the client side) Can I employ to allow the android application to interact with our site (without COMPLETELY removing sameorigin)?
Don’t think you can do that. Since Chromium doesn’t see Allow-From as feature[1] and Android relies heavily on Chromium’s frameworks for WebViews.
I’m guessing your requirements are to block browser based click jackings?
Since you can’t use Allow-From. You may want to think about an approach similar to that outlined in this BlackHat talk[2], UI Redressing Attacks on Android Devices. I’d recommend reading the entire pdf really interesting stuff.
Check out Chapter 5 MITIGATION TECHNIQUES, Section 1 Browser-Based UI Redressing.
<styleid=”antiClickjack”>
body{display:none!important;}
</style>
<scripttype=”text/javascript”>
if(self===top){
varantiClickjack=document.
getElementById(”antiClickjack”);
antiClickjack.parentNode.removeChild(antiClickjack);
}else{
top.location=self.location;
}
</script>
[1] https://code.google.com/p/chromium/issues/detail?id=129139#c20
[2] https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf