Click Jacking Protection added

Click-Jacking a website usually involves hosting the website in an HTML IFRAME and then overlaying it with information to confuse the User and capture input such as password entry.

This is explained by this article:https://en.wikipedia.org/wiki/Clickjacking

The following have now been added to finPOWER Connect Cloud to prevent this:

• The HTTP Header "X-Frame-Options" has been added with a value of "SAMEORIGIN" meaning that only IFRAMEs actually within finPOWER Connect Cloud will work

NOTE: This is configurable on the IIS server hosting finPOWER Connect Cloud or Web Services for existing installations. This release however adds this header without any additional configuration being required.

This has also been applied to Web Services, thereby protecting both the Web Administration facility and all Portals from this type of attack. However the ability to for externally hosted HTML Widgets (referencing the External/HtmlWidgetHost1.aspx file) being hosted in an IFRAME has been preserved.

NOTE: Although this is superseded by the "Content-Security-Policy" header which is addresses as another update, "X-Frame-Options" is supported by all web browsers dating back to Internet Explorer 8 as detailed at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.