Integration Guide for Oracle Billing Insight > Integrating Oracle Billing Insight With CRM Applications >

Avoiding Clickjacking Using X-Frame-Options Security Settings

Oracle Billing Insight uses X-Frame-Options HTTP response headers to avoid UI redress attacks, called clickjacking, by preventing application content from being embedded into other sites. On a clickjacked page, attackers can load and embed any Oracle Billing Insight page over the external site page in a transparent frame, tricking Oracle Billing Insight users into performing actions that could enable the attacker to steal payment account information, for example.

Oracle Billing Insight uses the SAMEORIGIN X-Frame-Option value, which displays the page in a frame as long as the site including it in a frame is the same as the one serving the page. This prevents Oracle Billing Insight content from being embedded into other sites, and is recommended by OWASP.

If you have implemented your own integration from an external system, you can follow the steps in this topic to configure the Self-Service and Assisted Service applications to allow specific origin using the ALLOW-FROM URI response header value, and prevent Oracle Billing Insight from being embedded by any outside pages.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. There are three possible values for X-Frame-Options:

• SAMEORIGIN. The page can be displayed in a frame on the same origin only.
• ALLOW-FROM URI. The page can only be displayed in a frame on an origin specified as the URI.
• DENY. The page cannot be displayed in a frame from any site attempts (from other sites or the same site).

There can also be limitations on browser compatibilities. If you are using an old browser, you may also need to configure the Assisted Service application to avoid clickjacking. For more information about browser issues, see

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

To configure the integrated Assisted Service application to avoid clickjacking when accessing from external sites

1. Open the spring-security.xml file, located in the following directory:
   • UNIX. EDX_HOME/config/security/csr
   • Windows. EDX_HOME\config\security\csr
2. In the following code, change the allowFrom value to your domain name or hostname where the iFrame referencing application is hosted:

   <bean id="EBillAllowFromStrategy" class="com.edocs.common.security.intg.EBillAllowFromStrategy">
   <!-- which permits the specified 'uri' to frame integrated csr application. Support wild card *. Support multiple 'uri' delimited by "|" -->
   <!-- examples: -->
   <!-- www.crm.company.com --> <!-- for specific host name -->
   <!-- *.company.com --> <!-- for all hosts of oracle.com domain -->
   <!-- *.company.com|*.group.com --> <!-- for all hosts of oracle.com
   and oracledemos.com domain -->
   <property name="allowFrom" value="*.oracle.com" />
   </bean>