Summary

The COmanage Project and TAP containers have been updated to deter clickjacking attacks.

Update 2024 02 26

Registry v4.3.3 now includes this header in all requests.

Severity

The severity of this issue is very high, as clickjacking attacks are designed to be launched remotely.

Exposure

The exposure will generally be low, as it is generally considered difficult to exploit. There are no known instances in the wild of this attack.

Recommended Mitigation

Deployments should update to the latest containers available. This applies to both Registry and Match.

Beginning with Registry v4.3.3, the “Content-Security-Policy” HTTP header “frame-ancestors ‘self’” was added to all page layouts so that requests for iframe content cannot be made from a domain different from where Registry is deployed. This makes it difficult to build a click-jacking exploitable interface that fools end-users into believing they are interacting with their official Registry site.

header("Content-Security-Policy: frame-ancestors 'self'");

Similar changes will be added to Match in a future release.

Alternate Mitigations

Deployments may alternately update their Apache or other web server configurations to ensure frames can only come from the same origin. For example:

Header set Content-Security-Policy "frame-ancestors 'self';" 

Deployments supporting older browsers may wish to support older directives:

X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' 

Discussion

"Clickjacking" is at attack whereby an attacker attempts to use multiple layers to trick a user into clicking a link they did not intend, often using an invisible iframe. More details about this sort of attack can be found here.

References

• CO-2705