Touchpoint Security

Last updated
Save as PDF

Overview

An external website has a snippet of code added to it from a knowledge base site referred to as Touchpoint. This is configured by the site Administrator for that external website. The snippet of code uses built-in modern browser security standards to enforce strictness.

Technical Overview

An external website has a script added that loads a Touchpoint instance within an iframe that has been configured to allow Cross-Origin Resource Sharing (CORS) for that domain. The x-frame-options HTTP header is used to restrict access for that Touchpoint instance to the domain. It's done using the allow-from: <site> syntax which follows an industry standard. All requests made within the iframe are subject to the Same-Origin policy. Certain types of Touchpoints may pass data using HTML attributes that have strict validation. The iframe may transmit data to the website using a public JavaScript API via the use of the postMessage function, which provides a restricted area of interaction between the two parties. It's encouraged from an external website hosting the Touchpoint script to also use Content Security Policy to further secure by providing allowed domains i.e Content-Security-Policy: frame-src <source>;. Detailed blog post explaining on how it was developed located and why it was created.

Definitions

The x-frame-options HTTP header is used to indicate whether a webpage can be embedded in an iframe element on another webpage. It helps to protect against clickjacking attacks, which can occur when an attacker tricks a user into clicking on a webpage element that is in a hidden frame on a different website.
allow-from: uri: This value allows the webpage to be displayed in an <iframe> element only if the parent webpage is at the specified uri.
postMessage
Cross-Origin Resource Sharing
Same-Origin policy
Content Security Policy aka CSP