I've decided to develop SafeClick module few weeks after the discussion with Drupal Security Team about possible vulnerabilities to Clickjacking attacks. Security Team replied that protection of this class of attacks won't be implemented in core, so I've decided to develop a special module for it. More information about Clickjacking can be found at http://www.sectheory.com/clickjacking.htm.
Currently, there is no similar module available for Drupal or any other CMS. Development of this module provides Drupal with new level of security, which is not comparable to any other CMS. Number of clickjacking attacks increases - Bikini worm at Facebook and huge number of attacks on Twitter, so this module is definitely needed for many websites. High level of attention to Drupal as a governmental site (like www.whitehouse.gov), a social network with Twitter integration - all of this should get the best of secure practice.
This module implements several techniques of Clickjacking prevention, which were discussed long at http://sla.ckers.org with specialists in Web Applications Security sphere. I think they got to be reviewed by Drupal Security Team, and if they have any questions, I'll certainly explain everything.
The first technique is implementation of X-Frame-Options HTTP header. This header defines, how browser should process framing of website. It has two options: SAMEORIGIN, when browser accepts framing within website domain and DENY, when browser rejects any attempt of framing. This header is currently supported by NoScript, Safari, Chrome and IE8, so it's the best way to prevent Clickjacking.
The second technique is an implementation of Javascript and CSS hack. It looks like this:
if (top === self) { document.write(" body { display: none !important; } So if site is not being framed, javascript comments style and everything is okay. If site is being framed, javascript isn't executed and body is not shown. It's the best way to prevent Clickjacking, because usage of simple framebuster is not good as long as it can be disabled via XSS filter in IE8 and Safari. The third option is the addition of tag with message, pointing user to enable JavaScript. This thing should be used with the second technique, because it's a bad idea to show blank screen for users with disabled JavaScript. However, such option may be used alone. The fourth technique is to override stylesheet for iframe, frame, object and embed selectors. It's going to be useful if users are allowed to post stated tags at website. Most Clickjacking vectors use transparent frames and this stylesheet overrides opacity of them to 100. Rare Clickjacking vectors exploits "last loaded - first focused" behavior, when last loaded iframe is being focused, regardless its visibility. Stylesheet sets z-index for selectors to 1, so last loaded frame will be always shown to user. In theory, the second and the fourth technique may break behavior of certain contributed modules, but I didn't found such. Best regards, Alex Rodionov p0deje@gmail.comComment | File | Size | Author |
---|---|---|---|
#13 | safeclick.zip | 5.56 KB | p0deje |
#11 | safeclick.zip | 5.54 KB | p0deje |
#6 | safeclick.zip | 6.23 KB | p0deje |
#4 | safeclick.zip | 6.23 KB | p0deje |
#1 | safeclick.zip | 6.18 KB | p0deje |
Comments
Comment #1
p0deje CreditAttribution: p0deje commentedComment #2
p0deje CreditAttribution: p0deje commentedComment #3
apadernoHello, and thanks for applying for a CVS account. I am adding the review tags, and some volunteers will review your code.
Comment #4
p0deje CreditAttribution: p0deje commentedI've made a mistake which noticed after uploading module.
So here is the fixed version.
Please, ignore previous one
Comment #5
apadernoSuch comment should be used for hooks implementations, not for all the functions.
Files that are committed in CVS repository must be licensed under GPL v2.
Comment #6
p0deje CreditAttribution: p0deje commented1. Didn't found such paragraph in Coding Standards. Can you point me?
2. Fixed
3. On http://drupal.org/node/59 it says
Comment #7
p0deje CreditAttribution: p0deje commentedComment #8
aaron CreditAttribution: aaron commentedI thought that it had to be >= GPL v2, as GPL v2 is compatible with all GPL after?
Comment #9
apadernoLicenses - Free Software Foundation
The part about the namespace is the one that tells you which names must have functions, constants, global variables, Drupal variables. That is important because allows each module to be compatible with each other.
Comment #10
apadernoLicensing FAQ
Comment #11
p0deje CreditAttribution: p0deje commented1. License problems were resolved.
2. I've looked through code and it seems to me that all is written according to coding standards: functions are in lowercase with underscores, constants are in uppercase with underscores. What do I miss?
Comment #12
apadernoConstants defined from the module should be prefixed with the module name (in upper case characters, in this case SAFECLICK_).
Comment #13
p0deje CreditAttribution: p0deje commentedConstants were fixed
Comment #14
apadernoComment #15
p0deje CreditAttribution: p0deje commentedComment #16
apadernoThank you for your contribution! I am going to update your account.
These are some recommended readings to help with excellent maintainership:
You can find more contributors chatting on the IRC #drupal-contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank all the dedicated reviewers as well.
Comment #19
apadernoComment #20
apadernoI am giving credits to the users who participated in this issue.