Learn practical AI for business and earn your AI Professional certification. — Learn More

Box Status
Print

How Does Box Prevent Clickjacking?

Security , End User , Article , New , Instruction , Secure

What is clickjacking?

A clickjacking attack (more technically known as a "UI redress attack") occurs when a user's clicks or key presses are "hijacked" by an attacker. The attacker places their site in a frame (either opaque or transparent) over the site the user meant to visit. The user will still see the correct site, clicking on a seemingly innocuous button or link or entering sensitive information in one of the site's fields, and the attacker uses that click or tracks the keypresses for their own nefarious purposes, routing them to another application or domain.

How does Box prevent clickjacking?

To guard against clickjacking attacks, Box employs preventative measures in our embed widget as well as an X-Frame-Options header.

Our embed widget uses an interactive "Drag the Cloud" game in which a white cloud puzzle piece, randomly placed on the page, needs to be plugged into a cloud-shaped "hole" in the page, also randomly placed on the page. Because both of the objects are randomly placed on the page, the user's click locations cannot be predicted easily by attackers, making a clickjacking attack less effective and an attempt to use clickjacking measures less worthwhile. This randomized interaction is the most effective method of preventing clickjacking attempts available for embedded content. Users can feel secure that they are interacting with the correct site if they are able to click and drag the cloud into the correct place.

As a customer using Box, how do I prevent clickjacking?

Box recommends that customers use the Box Embed widget, which includes a randomized interaction (the "Drag the Cloud" game). However, we understand that some customers may not want to use the embed widget, or may want to use the widget without the included cloud-game interaction. We offer an option without the cloud-game interaction to those customers who have implemented one of our security team's approved clickjacking defenses.

If you are are interested in opting out of the cloud-game interaction, you need to contact Box Support to begin the process. In order to be granted an exemption from the cloud game, which provides clickjacking protection for Box content, Box Support need to know that your domains/websites have implemented their own form of clickjacking protection. Box Support will ask for:

  1. A list of all domains you would like to be exempt. This usually appears in the form of https://portal.example.com/resource/
  2. Proof, on those domains, that you have implemented at least one of the approved clickjacking defenses:
    • Return Content-Security-Policy (CSP) header with frame-ancestors directive:
      • The header should have the value frame-ancestors 'self' or frame-ancestors 'none'. Use 'self' to allow only the same origin, or 'none' to disallow all framing.
      • To verify that you are returning a CSP header, please include a screenshot or HAR capture of the response headers for all pages that will be added to the allow-list (even those that you do not plan to embed a widget on). This header must be present on the actual page, and not just on supporting API endpoints.
    • Return X-Frame-Options header in HTTP response:
      • You should pass an X-Frame-Options header value of DENY or SAMEORIGIN. We do not allow a header value of ALLOW-FROM.
      • To verify that you are returning an X-Frame-Options header, provide a screenshot of the response headers for all pages that will be part of the allow-list (even those you do not plan to embed a widget on). E.g.:
    • Pop-up a new window when displaying framed content. To verify that you are popping-up a new window when displaying framed content, provide a screen recording of this behavior for all pages that will be part of the allow-list (even those that you do not plan to embed a widget on).
    • In addition to providing a screenshot of the response headers, make sure you verify that you are returning x-frame-options on all pages that could match the URLs we add to the allow-list. You must have the chosen clickjacking defense implemented on ALL pages that could match the URLs we add to the allow-list, regardless of whether you plan to show the embed widget on that page. A common issue is that users will ask us to add https://portal.example.com/ to the allow-list but will only return x-frame-options on https://portal.example.com/some-page.  This is not acceptable - all pages matching https://portal.example.com/* would need to return the x-frame-options header.

Box clickjacking Defenses

Our approved clickjacking defenses include the following:

  1. Using a Content-Security-Policy (CSP) header with frame-ancestors directive
  2. Using an X-Frame-Options header
  3. Displaying framed content in a new window

The X-Frame-Options header is an industry-wide standard used to prevent clickjacking by specifying whether or not a site can be rendered within <frame> or <iframe> tags. For more specific information on the various X-Frame-Options header types, including browser support and limitations, see this article.

Box isn't showing up on my site properly, or I'm getting an empty frame, what should I do?

If you're seeing an empty frame when you try to use Box on your site, or you're getting an error page, use the Box Embed widget. To get the embed code, click the Share button, then click the Embed button from the Share window. Click Copy to Clipboard to copy the embed code, or select it directly from the field in the window and copy it. Paste the code into your html editor to use Box Embed.

tech_writers_swarm_kb

Related articles