SEC-2230: Polish and clickjacking demo

This commit is contained in:
Rob Winch 2013-08-01 10:19:36 -05:00
parent 8c3ac719bb
commit e242aeff3e
4 changed files with 24 additions and 6 deletions

View File

@ -348,8 +348,8 @@
</section> </section>
<section xml:id="nsa-frame-options"> <section xml:id="nsa-frame-options">
<title><literal>&lt;frame-options&gt;</literal></title> <title><literal>&lt;frame-options&gt;</literal></title>
<para>When enabled adds the <link xlink:href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01">X-Frame-Options header</link> to the response, this allows newer browsers to do some security <para>When enabled adds the <link xlink:href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options header</link> to the response, this allows newer browsers to do some security
checks and prevent clickjacking attacks.</para> checks and prevent <link xlink:href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking</link> attacks.</para>
<section xml:id="nsa-frame-options-attributes"> <section xml:id="nsa-frame-options-attributes">
<title><literal>&lt;frame-options&gt;</literal> Attributes</title> <title><literal>&lt;frame-options&gt;</literal> Attributes</title>
<section xml:id="nsa-frame-options-policy"> <section xml:id="nsa-frame-options-policy">

View File

@ -1,13 +1,20 @@
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd xmlns:p="http://www.springframework.org/schema/p"
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<!-- ========================== WEB DEFINITIONS ======================= --> <!-- ========================== WEB DEFINITIONS ======================= -->
<context:component-scan base-package="sample.contact"/> <context:component-scan base-package="sample.contact"/>
<context:annotation-config /> <context:annotation-config />
<mvc:annotation-driven/>
<mvc:view-controller path="/frames.htm" view-name="/frames"/>
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource"> <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages"/> <property name="basename" value="messages"/>
</bean> </bean>

View File

@ -0,0 +1,10 @@
<html>
<head>
<title>Frames</title>
</head>
<body>
<p>This contains frames, but the frames will not be loaded due to the <a href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options</a>
being specified as denied. This protects against <a href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking attacks</a></p>
<iframe src="./hello.htm" width="500" height="500"></iframe>
</body>
</html>

View File

@ -47,5 +47,6 @@ here's a random <code>Contact</code>:
<p>Get started by clicking "Manage"... <p>Get started by clicking "Manage"...
<p><A HREF="<c:url value="secure/index.htm"/>">Manage</a> <p><A HREF="<c:url value="secure/index.htm"/>">Manage</a>
<a href="<c:url value="secure/debug.jsp"/>">Debug</a> <a href="<c:url value="secure/debug.jsp"/>">Debug</a>
<a href="<c:url value="./frames.htm"/>">Frames</a>
</body> </body>
</html> </html>