My organization has scanned our code using Checkmarx and the low severity issue Potential Clickjacking on Legacy Browsers was detected due to a JavaScript function firing on an HTML image click event.
We have implemented the following suggested fixes:
Define and implement a Content Security Policy (CSP) on the server side, including a frame-ancestors directive (frame-ancestors 'self')
"X-Frame-Options" header set to "SAMEORIGIN"
Legacy browser support is needed so added a frame-busting script similar to the following example in the Checkmarx documentation:
<html>
<head>
<style> html {display : none; } </style>
<script>
if ( self === top ) {
document.documentElement.style.display = 'block';
}
else {
top.location = self.location;
}
</script>
</head>
<body>
<button onclick="clicked();">Click here if you love ducks</button>
</body>
</html>
Now Checkmarx flags the file for the high severity issue Client DOM XSS due to the line:
top.location = self.location;
that was recommended to be added for legacy click jack protection.
So if we implement the Checkmarx suggested fix on a low severity issue (Potential Clickjacking on Legacy Browsers), we introduce a high severity issue (Client DOM XSS).
What's the proper course of action here?
To reduce the risk of a DOM-based cross-site scripting vulnerability in your web application, URL encode the self.location
top.location = encodeURI(self.location);