Unable to Prevent Clickjacking from Local File Protocol in Helmet-Protected Website
jonidelv opened this issue · comments
I have set the headers with helmet on my website and included the following configuration to prevent clickjacking attacks:
helmet.frameguard({ action: 'deny' });
frameAncestors: [
'\'self\'',
'https://*.force.com',
'https://*.my.salesforce.com'
]
When I check the headers using curl -I mysite.com
, I can see that the x-frame-options header is set to DENY and the content-security-policy header has the frame-ancestors directive with the specified values:
x-frame-options: DENY
content-security-policy: frame-ancestors 'self' file: https://*.force.com https://*.my.salesforce.com
However, I noticed that if I create an index.html
file on my local machine with an iframe that points to my website like this:
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<iframe src="https://app.mysite.com/" width="900" height="800"></iframe>
</body>
</html>
My website still loads inside the iframe. This is not desirable behavior, and I want to prevent this from happening. Specifically, I want to prevent a page served with the file://
protocol from a local machine from being able to embed my website.
(I've noticed that the desired behavior is achieved when the embedding is attempted from a web server, indicating that the issue is specific to local files)
This Content-Security-Policy
header looks like the culprit:
content-security-policy: frame-ancestors 'self' file: https://*.force.com https://*.my.salesforce.com
Notice that file:
is there. That will allow file://
embedding.
Maybe you need to do a hard refresh? Maybe you need to re-deploy your server?
Looks like your problem was solved! Let me know if you need anything else.