Question

Two conditions must be met for a clickjacking vulnerability to happen. First, the vulnerable page has to have functionality that executes a state-changing action on the user’s behalf. A state-changing action causes changes to the user’s account in some way, such as changing the user’s account settings or personal data. Second, the vulnerable page has to allow itself to be framed by an iframe on another site.

点击劫持漏洞发生必须满足两个条件。第一，易受攻击的页面必须具有代表用户执行状态更改操作的功能。状态更改操作会以某种方式更改用户账户，例如更改用户的账户设置或个人数据。第二，易受攻击的页面必须允许自己被另一个网站的 iframe 框架化。

The HTTP response header X-Frame-Options lets web pages indicate whether the page’s contents can be rendered in an iframe. Browsers will follow the directive of the header provided. Otherwise, pages are frameable by default.

HTTP 响应头 X-Frame-Options 允许网页指示页面内容是否可以呈现在 iframe 中。浏览器将遵循提供的头指令。否则，页面默认可呈现在框架中。

This header offers two options: DENY and SAMEORIGIN . If a page is served with the DENY option, it cannot be framed at all. The SAMEORIGIN option allows framing from pages of the same origin: pages that share the same protocol, host, and port.

本标题提供两个选项：DENY 和 SAMEORIGIN。如果页面使用 DENY 选项进行服务，它将无法被框架。SAMEORIGIN 选项允许来自相同源的页面进行框架：即协议、主机和端口相同的页面。

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

To prevent clickjacking on sensitive actions, the site should serve one of these options on all pages that contain state-changing actions.

为了防止在敏感操作时遭受点击劫持攻击，网站应该在所有包含状态变更操作的页面上提供以下选项之一。

The Content-Security-Policy response header is another possible defense against clickjacking. This header’s frame-ancestors directive allows sites to indicate whether a page can be framed. For example, setting the directive to 'none' will prevent any site from framing the page, whereas setting the directive to 'self' will allow the current site to frame the page:

内容安全策略响应头是对抗点击劫持的另一种可能的防御方式。该响应头的 frame-ancestors 指令允许网站指示页面是否可以被框架。例如，将指令设置为“none”将阻止任何站点框架该页面，而将指令设置为“self”则允许当前站点框架该页面。

Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: frame-ancestors 'self';

Setting frame-ancestors to a specific origin will allow that origin to frame the content. This header will allow the current site, as well as any page on the subdomains of example.com , to frame its contents:

将框架祖先设置为特定的来源将允许该来源对内容进行框架化。此头文件将允许当前站点以及 example.com 子域上的任何页面对其内容进行框架化：

Content-Security-Policy: frame-ancestors 'self' *.example.com;

Besides implementing X-Frame-Options and the Content-Security-Policy to ensure that sensitive pages cannot be framed, another way of protecting against clickjacking is with SameSite cookies. A web application instructs the user’s browser to set cookies via a Set-Cookie header. For example, this header will make the client browser set the value of the cookie PHPSESSID to UEhQU0VTU0lE :

除了实现 X-Frame-Options 和 Content-Security-Policy 以确保敏感页面不能被嵌套，另一种防止点击劫持的方法是使用 SameSite cookies。Web 应用程序通过 Set-Cookie 头指示用户浏览器设置 cookie。例如，此头将使客户端浏览器将 cookie PHPSESSID 的值设置为 UEhQU0VTU0lE：。

Set-Cookie: PHPSESSID=UEhQU0VTU0lE 

In addition to the basic cookie_name=cookie_value designation, the Set-Cookie header allows several optional flags you can use to protect your users’ cookies. One of them is the SameSite flag, which helps prevent clickjacking attacks. When the SameSite flag on a cookie is set to Strict or Lax , that cookie won't be sent in requests made within a third-party iframe:

除了基本的 cookie_name = cookie_value 指定之外，Set-Cookie 头允许使用几个可选标志，以保护您的用户的 cookie。其中之一是 SameSite 标志，它可以帮助防止点击劫持攻击。当 SameSite 标志设置为 Strict 或 Lax 时，该 cookie 不会在第三方 iframe 中发送的请求中发送：

Set-Cookie: PHPSESSID=UEhQU0VTU0lE; Max-Age=86400; Secure; HttpOnly; SameSite=Strict
Set-Cookie: PHPSESSID=UEhQU0VTU0lE; Max-Age=86400; Secure; HttpOnly; SameSite=Lax 

This means that any clickjacking attack that requires the victim to be authenticated, like the banking example we mentioned earlier, would not work, even if no HTTP response header restricts framing, because the victim won’t be authenticated in the clickjacked request.

这意味着任何需要受害者进行身份验证的点击劫持攻击，例如我们之前提到的银行示例，即使没有 HTTP 响应标头限制框架，也不起作用，因为在即被点击劫持的请求中，受害者不会被认证。