What Happened to the SANS Ads?
You may have noticed that the "ad" frame we use in the top right corner has been empty for the last couple days. Oddly, we didn't get a lot of complaints about that ;-)
The reason is pretty simple: The SANS ads are included via an iframe. However, iframes, as Smit B. Shah pointed out in an e-mail to the SANS webmaster, can also be used in clickjacking attacks. So we decided to implement a simple anti-clickjacking defense by adding the "X-Frame-Options: SAMEORIGIN" header to all sans.org pages. Of course, "isc.sans.edu" is not "sameorigin" and the ads no longer show up if your browser supports the header.
Yes, there are Javascript tricks to prevent clickjacking, but they are far from reliable. If you still see the ads: You probably should use a newer browser. Of course, we will exempt some pages (like the ads ;-) ) from the header in the future, but for now figured that adding the header is more important then showing ads.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments