Integration Guide for Oracle Billing Insight > Using an External Authentication System >

Avoiding Clickjacking Using X-Frame-Options Security Settings

Oracle Billing Insight uses X-Frame-Options HTTP response headers to avoid UI redress attacks, called clickjacking, by preventing application content from being embedded into other sites. On a clickjacked page, attackers can load and embedded any Oracle Billing Insight page over the external site page in a transparent frame, tricking Oracle Billing Insight users into performing actions that could enable the attacker to steal payment account information, for example.

Oracle Billing Insight uses the SAMEORIGIN X-Frame-Option value, which displays the page in a frame as long as the site including it in a frame is the same as the one serving the page. This prevents Oracle Billing Insight content from being embedded into other sites, and is recommended by OWASP.

If you have implemented your own integration from an external system, you can follow the steps in this topic to configure the Self-Service and Assisted Service applications to allow specific origin using the ALLOW-FROM URI response header value, and prevent Oracle Billing Insight from being embedded by any outside pages.

CAUTION:  If you attempt to access and embed the Self-Service or Assisted Service applications from an external system (which is not same origin), you risk clickjacking from cross-site scripting.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. There are three possible values for X-Frame-Options:

• SAMEORIGIN. The page can be displayed in a frame on the same origin only.
• ALLOW-FROM URI. The page can only be displayed in a frame on an origin specified as the URI.
• DENY. The page cannot be displayed in a frame from any site attempts (from other sites or the same site).

There can also be limitations on browser compatibilities. If you are using an old browser, you may also need to configure the Assisted Service application to avoid clickjacking. For more information about browser issues, see

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

To configure Oracle Billing Insight applications to avoid clickjacking when accessing from external sites

1. For the Self-Service and Assisted Service applications:
   1. Open the globalConfig.xma.xml file, located in the following directory:
      • UNIX. EDX_HOME/xma/config/modules
      • Windows. EDX_HOME\xma\config\modules
   2. In the following code, change the X-Frame-Options value from SAMEORIGIN to ALLOW-FROM $URL:

   -<property name="additionalHttpResponseHeaders">
   -<props>
   <prop key="X-Frame-Options">SAMEORIGIN</prop>
   </props>
   </property>
   -<property name="csrAdditionalHttpResponseHeaders">
   -<props>
   <prop key="X-Frame-Options">SAMEORIGIN</prop>
   </props>
   </property>

2. For accessing the Assisted Service application in old browsers that do not support X-Frame Options:
   1. Open the the \_assets\templates\security.jsp file found in the csr-web-1.0-SNAPSHOT.war file.
   2. Edit the if (self === top) line, specifying the external site, as in:

   if (self === top || top.location.href === 'www.example.com')

   This line is found in the following section within the JSP file:

   <style id="antiClickjack">
   body {
   display: none !important;
   }
   </style>
   <script type="text/javascript">
   if (self === top) {
   var antiClickjack = document.getElementById("antiClickjack");
   antiClickjack.parentNode.removeChild(antiClickjack);
   else {
   top.location = self.location;
   }