Bypass x-frame-options for clickjacking

There is one caveat when using X-Frame-Options header: it only checks the top level frame. This means that if you have nested frames, i.e. frames within frames, it is still possible for another origin to include a site with a X-Frame-Options: SAMEORIGIN header.

In this regard the header Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors.

frame within frame

Tags:

Clickjacking

Vulnerability

Penetration Test

Recent Posts