Android Iframe SameOrigin on custom sites

Question

We have an android application that's iframe-ing our website into their application. However to prevent click jacking we have the following directive in our proxy configs.

Header append X-FRAME-OPTIONS "SAMEORIGIN"

This is a very common Cross-Origin Resource Sharing strategy.

Unfortunately the Webview in an android browser has the origin as file:// which is different than the domain we use. This leads to the error refused to display x-frame-options set to sameorigin.

What strategies (either on the proxy or the client side) Can I employ to allow the android application to interact with our site (without COMPLETELY removing sameorigin)?

Answer 1

Don’t think you can do that. Since Chromium doesn’t see Allow-From as feature[1] and Android relies heavily on Chromium’s frameworks for WebViews.

I’m guessing your requirements are to block browser based click jackings?

Since you can’t use Allow-From. You may want to think about an approach similar to that outlined in this BlackHat talk[2], UI Redressing Attacks on Android Devices. I’d recommend reading the entire pdf really interesting stuff.

Check out Chapter 5 MITIGATION TECHNIQUES, Section 1 Browser-Based UI Redressing.

<styleid=”antiClickjack”>
    body{display:none!important;}
</style>
<scripttype=”text/javascript”>
    if(self===top){
        varantiClickjack=document.
        getElementById(”antiClickjack”);
        antiClickjack.parentNode.removeChild(antiClickjack);
    }else{
        top.location=self.location;
    }
</script>

[1] https://code.google.com/p/chromium/issues/detail?id=129139#c20
[2] https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf

Answer 2

The WebView has a loadDataWithBaseURL() method. You could read in your file, and pass that through with whatever origin you need as the base url.

public void loadDataWithBaseURL(String baseUrl,
                                String data,
                                String mimeType,
                                String encoding,
                                String historyUrl)

Loads the given data into this WebView, using baseUrl as the base URL for the content. The base URL is used both to resolve relative URLs and when applying JavaScript's same origin policy.