At a customer there was a security issue raised about clickjacking vulnerability in the J2EE application running on Websphere 8.5. After implementing the filter I ran into a issue with the PrimeFaces Upload control on Internet Explorer, especially version 8.
What is ClickJacking
At the OWASP website there is a very good explaination about clickjacking. In short is the attacker will disguise the hostile page inside a friendly page.
ClickJacking filter for JEE
On the OWASP website there is a ClickJacking filter for Java EE, very easy to implement.
There are to modes for this filter, DENY and SAMEORIGIN. To be on the save side I switched the mode in the web.xml to DENY.
[dropshadowbox align=”none” effect=”lifted-both” width=”400px” height=”” background_color=”#ffffff” border_width=”1″ border_color=”#dddddd” ]
[/dropshadowbox]
When I use the upload control in FireFox, Firebug showed the response header the parameter ‘x-frame-options’ was set to DENY.
[dropshadowbox align=”none” effect=”lifted-both” width=”400px” height=”” background_color=”#ffffff” border_width=”1″ border_color=”#dddddd” ]
[/dropshadowbox]
The Issue on Internet Explorer 8
When I tested the upload control on IE8, I noticed that when I press the Upload button, the control will hang in the upload proces by showing the progress bar. IE8 was the only browser affected by this behaviour. Firefox and Chrome was uploading normally.
The solution
Next was to switch the ClickJacking Filter mode to SAMEORIGIN
[dropshadowbox align=”none” effect=”lifted-both” width=”400px” height=”” background_color=”#ffffff” border_width=”1″ border_color=”#dddddd” ]
[/dropshadowbox]
After publishing the change to the webserver first I checked the response header in Firebug
[dropshadowbox align=”none” effect=”lifted-both” width=”400px” height=”” background_color=”#ffffff” border_width=”1″ border_color=”#dddddd” ]
[/dropshadowbox]
When I reloaded the upload control in IE8 and uploaded a file, everything was working as expected. So issue fixed.
Apparently the PrimeFaces Upload control is using an iFrame underneath the nice UI and was affected by the ClickJackFilter on IE8.