I am developing a widget which is to be hosted on a server say www.exampleserver.com.
Our client will embed this iframe to his site say www.validclient.com. Now on embedding this widget a sms will be sent to the client's customer.
Now I was thinking about the Clickjacking By double framing in which a attcker may embed our client url in iframe. Now widget server found that request is from valid client and server shoots a SMS.
valid client code:
<html>
// some line of code
<iframe src="www.exampleserver.com" />
// some line of code
</html>
Attcker Code
<html>
// some line of code
<iframe src="www.validclient.com" />
// some line of code
</html>
So I just want my server url content to be rendered on clients iframe not on attacker iframe. For this security I have used:
Content-Security-Policy: frame-ancestors http://www.validclient.com
AND
X-Frame-Options: ALLOW-FROM http://www.validclient.com
This is amazing it blocks our URL on attackers iframe.
But this is not supported by internet explorer and some other browsers.
Please tell me any other approach for prevention of this attack which must be universal for all browser.
Thanks in advance. Hoping for a positive replies.
