Summary
The COmanage Project and TAP containers have been updated to deter clickjacking attacks.
Severity
The severity of this issue is very high, as clickjacking attacks are designed to be launched remotely.
Exposure
The exposure will generally be low, as it is generally considered difficult to exploit. There are no known instances in the wild of this attack.
Recommended Mitigation
Deployments should update to the latest containers available. This applies to both Registry and Match.
Alternate Mitigations
Deployments may alternately update their Apache or other web server configurations to ensure frames can only come from the same origin. For example:
Header set Content-Security-Policy "frame-ancestors 'self';"
Deployments supporting older browsers may wish to support older directives:
X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'
Discussion
"Clickjacking" is at attack whereby an attacker attempts to use multiple layers to trick a user into clicking a link they did not intend, often using an invisible iframe. More details about this sort of attack can be found here.
References
- CO-2705