Systems and methods provide for clickjacking prevention code provided in an embedded webpage to prevent clickjacking when the embedded webpage is called by an embedding webpage determined to be illegitimate. When the embedded webpage is loaded on a user device, the clickjacking prevention code is executed and initially prevents content of the embedded webpage from being rendered. Additionally, the clickjacking prevention code sends a message containing a secret to a known domain that provides legitimate embedding webpages. When the embedding webpage sends a message to the embedded webpage, the message is checked to see if it contains the secret. If the message contains the secret, the embedding webpage is legitimate since it originated from the known domain, and the content of the embedded webpage is rendered. Alternatively, if the message does not contain the secret, the content of the webpage is not rendered.
展开▼