Does CSRF protect against clicks?

Question

Does CSRF protect against clicks?

Suppose my web application is protected against a CSRF attack with a CSRF token and, in addition, uses SSL and is protected against XSS attacks. Also, for the purposes of this question, suppose that it is used only from the latest browsers and that they have no errors. I can protect against frame-based drag and drop using the X-Frame-Options: Deny header, but I don’t see what additional protection it will provide, since there will be no CSRF token in any frame-based view. (And the same origin policy prevents the detection of a CSRF token of a JavaScript attacker.) Questions:

Is there any other type of clickjacking that is not frame based? (Ie, this is the X-Frame-Options: prevent incomplete click protection?)
In the absence of the X-Frame-Options: Deny header, is it possible for the clickjacking attack to be successful given the above assumptions?

(I'm not asking for this because I want to prevent frame-based freezes, because I include the X-Frame-Options: Deny header. Rather, I'm trying to figure out how the attack area is with clickjacking.)

+4

csrf x-frame-options clickjacking

Marc rochkind Jun 09 '13 at 19:08

source share

1 answer

Marc rochkind · Accepted Answer · 2013-06-09T19:53:18+0000

After doing some more research, I think I answered my own question: the overlaid, transparent iframe contains the attacked site, which is usually accessed. For example, it could be a page with a button for deleting photos, emails, etc. The visible page from the intruder’s site is something completely different, perhaps to enter the contest, with a button located exactly where the iframe button is located. So, this does not apply to CSRF, because the submitted form is not fake; it is real in every way and has not been changed.

The solution is to prevent the site from loading into the frame, which is what X-Frame-Options: Deny does.

Does CSRF protect against clicks?

More articles: