I need to add a javascript based framework for my web application that helps prevent clickjacking (or Cross Frame Scripting) attacks for legacy browsers that do not support X-FRAME-OPTIONS.
After searching the Internet, I found that there are currently two approaches shown below. Being a complete newbie to javascript, I prefer approach 1 for its simplicity.
My question is, are both approaches still valid at the moment, or are they already "busted"?
EDIT: modified my question to ask about both approaches, not just approach 1.
Approach 1 (from http://en.wikipedia.org/wiki/Framekiller#Modern_framekiller ):
if (self == top) { document.documentElement.style.display = 'block'; } else { top.location = self.location; }
Approach 2 (from https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script ):
<style id="antiClickjack">body{display:none !important;}</style> <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = self.location; } </script>
Many thanks.
source share