sandboxattribute. When this is set with the
allow-scriptsvalues and the
allow-top-navigationvalue is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window:
allow-scriptsvalues permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviours while allowing functionality within the targeted site.
allow-modalsor even more. When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.
X-Frame-OptionsHTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a
<iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the
X-Frame-Optionsheader for all responses containing HTML content. The possible values are:
X-Frame-Options: denywhich prevents any domain from framing the content (Recommended value)
X-Frame-Options: sameoriginwhich only allows the current site to frame the content.
X-Frame-Options: allow-from https://trusted.comwhich permits the specified 'uri' to frame this page.
frame-ancestorsdirective in the application's Content Security Policy. The
frame-ancestors 'none'directive is similar in behaviour to the X-Frame-Options
denydirective (No-one can frame the page). The
frame-ancestors 'self'directive is broadly equivalent to the X-Frame-Options
sameorigindirective (only current site can frame it). The
frame-ancestors trusted.comdirective is broadly equivalent to the X-Frame-Options
allow-fromdirective (only trusted site can frame it).
Content-Security-Policy: frame-ancestors 'self';