You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.

Clickjacking protection

Also known as User Interface redress attack, UI Redress attack or UI redressing is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information

Clickjacking protection is implemented as described on the OWASP, by appending the headers:

HeaderValue
X-Frame-OptionsSAMEORIGIN
Content-Security-Policyframe-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-eval';

For more information about the subject, please consult the official Content Security Policy documentation, available here.


The use of eval, setTimeout with a string argument, setInterval with a string argument and new Function with the function body given as a string should be avoided in the front-end code, as the 'unsafe-eval' directive is in effect. 

If a custom front-end is used which does not use KnockoutJS or other frameworks that make use of the above-mentioned javascript functions, we recommend to remove the 'unsafe-eval' directive from script-src. We also recommend to keep other XSS protection measures enabled, such as the XSS protection header, XSS whitelist and/or XSS blacklist.


When it should be disabled

This option needs to be disabled when the blueriq application is used inside a frame that originates from a website on another domain

The Clickjacking protection is enabled by default.


Setting the following property in application.properties will disable it:

blueriq.security.click-jacking-protection.enabled=false


Configure parameters

Default value for the 'Content-Security-Policy' header in Production mode (without the Development Tools Component) is : 

'frame-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-eval';

The values for this header for the Java Runtime can be configured in  application.properties:

blueriq.security.click-jacking-protection.content-security-policy.default-src='self'
blueriq.security.click-jacking-protection.content-security-policy.script-src='self' 'unsafe-inline' 'unsafe-eval'
blueriq.security.click-jacking-protection.content-security-policy.style-src='self' 'unsafe-inline'
blueriq.security.click-jacking-protection.content-security-policy.font-src='self' data:
blueriq.security.click-jacking-protection.content-security-policy.img-src='self' <source> <source>

Property value overrides in development

When the Development Tools component is present and active, additional settings are required for the Content Security Policy, due to the frameworks used by this component (Vaadin in Java).

In the Runtime this is achieved by overriding the property values in the application-development-tools.properties file. The default values for the Content Security Policy in application-development-tools.properties are:

blueriq.security.click-jacking-protection.content-security-policy.script-src='self' 'unsafe-eval' 'unsafe-inline'
blueriq.security.click-jacking-protection.content-security-policy.style-src='self' 'unsafe-inline'



  • No labels