Portal Engine Questions on portal engine and web parts.
Version 7.x > Portal Engine > Clickjacking fix in Kentico v. 7 View modes: 
User avatar
Member
Member
Aon_Vlado - 2/19/2013 2:09:28 PM
   
Clickjacking fix in Kentico v. 7
I know that there is a fix in Kentico v. 7 for clickjacking attack. But the description of Clickjacking protection in here is very short and according our company security experts: “It appears that V7 is implementing the X-Frame header, which is a fix for the issue, but not a complete fix. Over the past few years there have been ways around this on certain browsers specifically IE7. A more complete fix would be to utilize style switching which would blank out the framed page by default or un-blank it when the page is unframed.“ According them this article explains the issue and fix in much more detail.

Could Kentico confirm that issue described in above article has been implemented?

Thank you,

Vlado

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 2/20/2013 9:14:57 AM
   
RE:Clickjacking fix in Kentico v. 7
Hi,

I can confirm that our protection is based only on X-Frame-Header. Of course this protection is not silver bullet but it mitigates risk a lot for all modern browsers.

Best regards,
Juraj Ondrus

User avatar
Member
Member
Vlado - 2/25/2013 12:37:34 PM
   
RE:Clickjacking fix in Kentico v. 7
Thanks. Are there any plans to implement the whole protection as it is described in the above article?
v

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 2/25/2013 12:59:57 PM
   
RE:Clickjacking fix in Kentico v. 7
Hi,

Yes, they should be in one of the next versions.

Best regards,
Juraj Ondrus