I'm analyzing an application using a static code analyzer and it is flagging a frame busting script as if it were a CSRF vulnerability, I have been researching why this is happening but no luck, so if anyone knows what's going on I would appreciate the help, this is the part of the script that has the issue:
<script type="text/javascript">
if (self == top) {
document.getElementsByTagName("body")[0].style.display = "block";
} else {
top.location = self.location;
}
</script>Client-side frame busting techniques are unsafe ("frame buster busting"). See e.g. https://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf
If you rely only on the above frame-busting code, a malicious person could still manage to display your site in an iframe and employ "click-jagging" to let an unsuspecting victim perform an action on your website (i.e. send an authorised request to perform a harmful action without being aware of it = Cross site request 'forgery').