Cross frame scripting
Description
Cross-Frame Scripting (XFS) is a client-side vulnerability that allows attackers to manipulate or overlay content within frames or iframes on a web page. This attack exploits the lack of proper frame security controls, enabling malicious actors to load trusted pages within attacker-controlled frames, creating convincing phishing scenarios where users believe they are interacting with legitimate content when they are actually submitting data to malicious endpoints.
Remediation
Implement frame security controls to prevent your application from being embedded in untrusted contexts:
1. Set X-Frame-Options HTTP header to control frame embedding:
X-Frame-Options: DENY # or to allow only same-origin framing: X-Frame-Options: SAMEORIGIN
2. Implement Content Security Policy (CSP) with frame-ancestors directive for modern browser support:
Content-Security-Policy: frame-ancestors 'none'; # or to allow only same-origin: Content-Security-Policy: frame-ancestors 'self';
3. Add frame-busting JavaScript as a defense-in-depth measure for legacy browsers:
if (top !== self) {
top.location = self.location;
}4. Validate and sanitize user input that controls frame sources or URLs to prevent injection of malicious frame content.
Note: CSP frame-ancestors is preferred over X-Frame-Options as it provides more granular control and is the modern standard.