Preventing Clickjacking

Clickjacking is an attack that tricks users by showing them an innocuous page that includes real controls from sensitive pages. These controls are disguised through the use of background frames that mask off everything except the control, and the user cannot tell that they are actually clicking on a sensitive function on some other website. This can cause users to unwittingly download malware, provide credentials or sensitive information, transfer money, or purchase products online.

To prevent clickjacking via ExLibris products, ExLibris has adopted a policy-based mitigation technique. Now institutions can instruct the browser about appropriate actions to perform if their site is included inside an iFrame.

1. Open the iFrame Embedding Options table (Configuration > General > iFrame Embedding Options). 
2. For the desired product and component, select Customize in the row actions.

   Alma Management and Esploro Management cannot be framed. This configuration cannot be edited. 

3. In the Action column, select the appropriate action to perform if your site is included inside an iFrame:
   • Allow all (default option) -  Allow all pages to load this page inside an iFrame.
   • Allow protected - Only trusted pages are permitted to load this page inside an iFrame. If you selected this option, in the Safe Domain column indicate the trusted URLs (no limit on the number of URLs you can specify, list multiple URLs with a blank space between them).
   • Block All - Deny all attempts to frame the page.
4. Click Save.  

Additional References

• Ongoing Maintenance and Administration in Esploro
• Esploro Integration