Block other websites from displaying your website pages or Feeds in iFrames, Clickjacking Protection

[AITpro Admin]

For a while now I have not bothered to do anything about Rssing.com grabbing the AITpro.com website Feeds and posting them in iFrames on the Rssing.com site, but I see a growing problem developing that seriously concerns me and that problem is that when I do a searches in the Search Engines I see that Rssing.com search results are now competing with the AITpro.com search results for the AITpro.com websites original content.  It would not be that big of a deal if Rssing.com did not display the original content of the AITpro.com websites in iFrames on the Rssing.com site.  To prevent other sites from displaying your website pages or Feeds in iFrames on their sites you can add the Bonus Custom Code below.

Pros:
There is a Read More link included in some of the Feed summaries, but not all of them. Most of the leeched Feed content is grabbed entirely without providing a source/reference link to the original content.

Cons:
AITpro website pages are shown in iFrames on the Rssing.com website.
Google Analytics Metrics show that over a 1 year period 24 visits have come from Rssing.com.
Google search results show results for Rssing.com competing with search results for AITpro.com websites.
Rssing.com is not linking back to the AITpro websites. Webmaster Tools does not show a linkback link from Rssing.com

Summary:
Rssing.com will probably cost you visitor traffic to your website and not increase visitor traffic to your website. Quite a lot of other sites have submitted requests to Google to have the Rssing.com content removed from the Google Search Engine/Database:  https://www.google.com/transparencyreport/removals/copyright/domains/rssing.com/

Solution:
1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
2. Click the Save Root Custom Code button.
3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.

Notes:
• This code goes after php/php.ini handler .htaccess code (if you have php/php.ini handler .htaccess code and before any caching .htaccess code (if you have any .htaccess caching code). The order would be: 1. php/php.ini handler .htaccess code, 2. the iFrame htaccess code and then 3. htaccess caching code in this Custom Code text box.
• If you add this code in an .htaccess file in the root of your hosting account (/public_html/.htaccess), then this code will be applied to all of your websites under your hosting account. You would not need to add this code to each of your other sites htaccess files.

# Block other sites from displaying your website in iFrames
# Protects against Clickjacking
<IfModule mod_headers.c>
# Using DENY will block all iFrames including iFrames on your own website
# Header set X-Frame-Options DENY
# Recommended: iFrames from the same site are allowed - other sites are blocked
Header always append X-Frame-Options SAMEORIGIN
</IfModule>

Clickjacking Wiki Info: http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options

Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Note: You can combine the External iFrame|Clickjacking Bonus Custom Code above with the MIME sniffing|Drive-by Download Attack Bonus Custom Code here: http://forum.ait-pro.com/forums/topic/mime-sniffing-data-sniffing-content-sniffing-drive-by-download-attack-protection/

<IfModule mod_headers.c>
# Using DENY will block all iFrames including iFrames on your own website
# Header set X-Frame-Options DENY
# Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
# Block other sites from displaying your website in iFrames
# Protects against Clickjacking
Header always append X-Frame-Options SAMEORIGIN
# Protects against Drive-by Download attacks
# Protects against MIME/Content/Data sniffing
Header set X-Content-Type-Options nosniff
</IfModule>

[Krzysztof]

Should this code go before or after

# Protects against Drive-by Download attacks
# Protects against MIME/Content/Data sniffing
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>

[AITpro Admin]

The order does not matter and/or you can combine the code:

<IfModule mod_headers.c>
# Block other sites from displaying your website in iFrames & Protects against Clickjacking
# Using DENY will block all iFrames including iFrames on your own website
# Header set X-Frame-Options DENY
# Recommended: Use SAMEORIGIN. iFrames from the same site are allowed but other sites are blocked
Header always append X-Frame-Options SAMEORIGIN
# Protects against Drive-by Download attacks & MIME/Content/Data sniffing
Header set X-Content-Type-Options nosniff
</IfModule>

[Paul]

So am i correct in saying this

<IfModule mod_headers.c>
# Using DENY will block all iFrames including iFrames on your own website
# Header set X-Frame-Options DENY
# Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
# Block other sites from displaying your website in iFrames
# Protects against Clickjacking
Header always append X-Frame-Options SAMEORIGIN
# Protects against Drive-by Download attacks
# Protects against MIME/Content/Data sniffing
Header set X-Content-Type-Options nosniff
</IfModule>

Goes before

# BEGIN WEBSITE SPEED BOOST
# Time cheat sheet in seconds

What happens if i have iframes i.e tube on my site?

[AITpro Admin]

Yes.  That is the correct place/order for the code in Custom Code.

Solution:
1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE

Notes:
• This code goes after php/php.ini handler .htaccess code (if you have php/php.ini handler .htaccess code and before any caching .htaccess code (if you have any .htaccess caching code). The order would be: 1. php/php.ini handler .htaccess code, 2. the iFrame htaccess code and then 3. htaccess caching code in this Custom Code text box.

# Recommended: SAMEORIGIN – iFrames from the same site are allowed – other sites are blocked
# Block other sites from displaying your website in iFrames

This means that all iframes on your website are allowed. An iframe on your site loads your content from your site. If someone added an iframe on their site that iframed your site then they would be loading your site content from their site – that would not be SAMEORIGIN.

[John]

Hi,

I have Google reCaptcha on my site, and it seems that Google reCaptcha button is in an iFrame. Do I understand correctly that with SAMEORIGIN, Google reCaptcha should be functioning properly?

Thank you in advance for your reply.

[AITpro Admin]

@ John – Yes, you are correct.  An iframe on your site loads your content (Google Recaptcha) from your site. If someone added an iframe on their site that iframed your site then they would be loading your site content from their site.

[webstar]

I am trying to install a click tracking app and I was told by the app owner that I had to remove the x-frame sameorigin option in my htaccess.

This click tracking has a link shortener and call-to-action (CTA) feature where a pop-up appears on the destination url. These are setup in their dashboard. I also used a custom domain, which I set as click.example.com.

I also had to setup a CNAME and set it with a url, let’s say it’s click.trackapp.io. Not sure if this is relevant, as I don’t know what it does, but, I just thought I would include it in case it is.

So, it did work when I commented out the header x-frame option.

But, I was just wondering if there is a way to keep this security measure and just allow whatever exception is needed to make it work. I read how to allow an exception for one url using allow-from in the x-frame command. But, I haven’t seen any examples for allowing two. I’m thinking I want to try allowing for click.example.com and click.trackapp.io (that is in the CNAME).

I tried only allowing click.example.com and the CTA pop-up worked, but, the destination url didn’t. I would get a Couldn’t connect message.

Have you come across this kind of issue? Do you know how to allow more than one url in that x-frame command or how to make this work without totally disabling the x-frame option?

I did send a note to the app owner yesterday, but, I haven’t heard back yet.

[AITpro Admin]

X-Frame-Options are limited to your website.  They only apply to your website and cannot be used for another website.  So the allow-from option can only be used for your website URI and cannot be used for another website’s URI.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

There are three possible directives for X-Frame-Options:

X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/

Directives

If you specify deny, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify sameorigin, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

deny

The page cannot be displayed in a frame, regardless of the site attempting to do so.

sameorigin

The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (see bug 725490). Also see Browser compatibility for support details.

allow-from uri

The page can only be displayed in a frame on the specified origin. Note that in Firefox this still suffers from the same problem as sameorigin did — it doesn’t check the frame ancestors to see if they are in the same origin.

[Hannah]

I have an urgent situation with embedded pdf files not displaying. The plugin I’m using embeds them from the client’s Google drive. I don’t see anything in the htaccess file that blocks them, but the inspector reports these errors:

[Error] Unrecognized Content-Security-Policy directive ‘require-trusted-types-for’.

[Error] Refused to display ‘https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&continue=https://drive.google.com/file/d/190cK4JHDJGW7OHAX_c-GIGIrIvg6HtDj/preview?usp%3Ddrivesdk&followup=https://drive.google.com/file/d/190cK4JHDJGW7OHAX_c-GIGIrIvg6HtDj/preview?usp%3Ddrivesdk’ in a frame because it set ‘X-Frame-Options’ to ‘DENY’.

What should I do?

[Hannah]

I figured it out and the files are now displaying as intended using a different plugin…sorry for the false alarm!

[AITpro Admin]

Great! Thanks for letting me know that.

[Author]

Posts