Prevent clickjacking using Office.js

About

Asked 6/1, 2017 at 19:59 Answered 3/2, 2017 at 21:50

The documentation at https://github.com/OfficeDev/office-js-docs/blob/master/docs/develop/privacy-and-security.md#tips-to-prevent-clickjacking lists a bunch of ways to help prevent clickjacking, by having the user confirm before performing potentially dangerous actions.

I was wondering if it would be just as safe to not render any UI on the page at all, until Office.initialize is called? Or is there a way for an attacker to iframe my add-in on their page and somehow replace the Office SDK with a malicious version?

Upali answered 6/1, 2017 at 19:59 Comment(0)

Yes, a malicious attacker could attempt to emulate the add-in runtime. It is best to make sure the user confirms sensitive actions as described on the best practices. If your add-in requires the user to login, that is one way of getting user input that would help mitigate.

Gramercy answered 3/2, 2017 at 21:50 Comment(1)

Thanks for the answer! This makes sense, we're making sure to perform our potentially dangerous actions only after the user has confirmed the action via a pop-up window. – Upali 6/2, 2017 at 18:47

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags