The case: http://i.imgur.com/l4eHlOe.jpg
What is presented here as clickjacking danger seems a necessary feature on the YouTube website
to ensure the video interface to function correctly.
So, is there real clickjacking danger here, as Maone’s extention so boldly alerts for?
No, there is not, because when cheking for Clickjacking Warning we will get a Pass all green.
Requested URL: https://www.youtube.com/ | Response URL: https://www.youtube.com/ | Page title: YouTube | HTTP status code: 200 (OK) | Response size: 497,699 bytes (gzip’d) | Duration: 1,333 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An “X-Frame-Options” header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
Result
Good news — an X-Frame-Options header with a value of “SAMEORIGIN” is being sent by the server.
Someone should report on the NoScript forum the extension should also consider the results of a https://securityheaders.io/ scan,
so it will no longer give false alerts as the above and scare the socks off of the unaware user of the extension.
That’s it, folks, and I hope the info helps.
polonus (volunteer website security analyst and website error-hunter)