At a customer there was a security issue raised about clickjacking vulnerability in the J2EE application running on Websphere 8.5. After implementing the filter I ran into a issue with the PrimeFaces Upload control on Internet Explorer, especially version 8.
What is ClickJacking
At the OWASP website there is a very good explaination about clickjacking. In short is the attacker will disguise the hostile page inside a friendly page.
ClickJacking filter for JEE
On the OWASP website there is a ClickJacking filter for Java EE, very easy to implement.
There are to modes for this filter, DENY and SAMEORIGIN. To be on the save side I switched the mode in the web.xml to DENY.
[dropshadowbox align=”none” effect=”lifted-both” width=”400px” height=”” background_color=”#ffffff” border_width=”1″ border_color=”#dddddd” ][/dropshadowbox]
When I use the upload control in FireFox, Firebug showed the response header the parameter ‘x-frame-options’ was set to DENY.
The Issue on Internet Explorer 8
When I tested the upload control on IE8, I noticed that when I press the Upload button, the control will hang in the upload proces by showing the progress bar. IE8 was the only browser affected by this behaviour. Firefox and Chrome was uploading normally.
Next was to switch the ClickJacking Filter mode to SAMEORIGIN
After publishing the change to the webserver first I checked the response header in Firebug
When I reloaded the upload control in IE8 and uploaded a file, everything was working as expected. So issue fixed.
Apparently the PrimeFaces Upload control is using an iFrame underneath the nice UI and was affected by the ClickJackFilter on IE8.