What is clickjacking?

A clickjacking attack (more technically known as a "UI redress attack") occurs when a user's clicks or key presses are "hijacked" by an attacker. The attacker places his/her site in a frame (either opaque or transparent) over the site the user meant to visit. The user will still see the correct site, clicking on a seemingly innocuous button or link or entering sensitive information in one of the site's fields, and the attacker uses that click or tracks the keypresses for his/her own nefarious purposes, routing them to another application or domain.


How does Box prevent clickjacking?

To guard against clickjacking attacks, Box employs preventative measures in our embed widget as well as an X-Frame-Options header. 

Our embed widget uses an interactive "Drag the Cloud" game in which a white cloud puzzle piece, randomly placed on the page, needs to be plugged into a cloud-shaped "hole" in the page, also randomly placed on the page. Because both of the objects are randomly placed on the page, the user's click locations cannot be predicted easily by attackers, making a clickjacking attack less effective and an attempt to use clickjacking measures less worthwhile. This randomized interaction is the most effective method of preventing clickjacking attempts available for embedded content. Users can feel secure that they are interacting with the correct site if they are able to click and drag the cloud into the correct place.


As a partner using Box, how do I prevent clickjacking?

Box recommends that partners use the Box Embed widget, which includes a randomized interaction (the "Drag the Cloud" game). However, we understand that some partners may not want to use the embed widget, or may want to use the widget without the included cloud-game interaction. We offer an option without the cloud-game interaction to those partners who have implemented one of our security team's approved clickjacking defenses. Partners who are interested in opting out of the cloud-game interaction will need to contact their Box Support representative to begin the process. 

Our approved clickjacking defenses include the following:

  1. Using an X-Frame-Options header 
  2. Displaying framed content in a new window
  3. Implement a randomized user interaction before allowing access to the application

The X-Frame-Options header is an industry-wide standard used to prevent clickjacking by specifying whether or not a site can be rendered within <frame> or <iframe> tags. For more specific information on the various X-Frame-Options header types, including browser support and limitations, see this article.


Box isn't showing up on my site properly, or I'm getting an empty frame, what should I do?

If you're seeing an empty frame when you try to use Box on your site, or you're getting an error page, use the Box Embed widget. To get the embed code, click the Share button, then click the Embed button from the Share window. Click Copy to Clipboard to copy the embed code, or select it directly from the field in the window and copy it. Paste the code into your html editor to use Box Embed.