Maybe you heard about clickjacking, maybe you didn't. In short: it's an attack on a web user by using transparancy on frames. The user thinks she/he click on something, but in fact she/he clicks on something else. The user will never know, because the intended action is also executed (or executed if clicked again, or something like that). Here's the original paper by Robert Hansen and Jeremiah Grossman.
But what to do about it. Well... there isn't very much that you can do to protect your user. It is possible to prevent you web-application to be loaded in a frame by adding a HTTP header. This prevents clickjacking, but the header has to be supported by the browser the user uses. IE8 supports the X-FRAME-OPTIONS HTTP header and Firefox will if the user installs the NoScript extension. The X-FRAME-OPTION has two possible values: DENY (disallow being loaded in a frame) and SAMEORIGIN (only allow being loaded in a frame if the pages are from the same URI).
One way to add the X-FRAME-OPTIONS to your HTTP header is using a HTTP module. Here's an example of this simple module:
public class AntiClickJackingModule : IHttpModule
public void Init(HttpApplication context)
context.EndRequest += new EventHandler(context_EndRequest);
private void context_EndRequest(object sender, EventArgs e)
HttpApplication application = (HttpApplication) sender;
HttpContext context = application.Context;
// Add the X-FRAME-OPTION
public void Dispose()