Enabling/disabling click-jacking defense – Google Search Appliance Creating the Search Experience User Manual

Google Search Appliance: Creating the Search Experience

Best Practices

67

You can enable search appliance support for a language bundle by performing the following tasks:

1.

Downloading and installing the language bundle

2.

Activating the language bundle

You can install multiple language bundles on a search appliance, but only one language bundle can be
active at any time. By default, the built-in language bundle is active.

The currently active language bundle provides spelling support for the languages in the bundle, as well
as query expansion. The Google Search Appliance supports several types of query expansion, including:

•

Contextual—alternative terms for the search term, for example, where the search term “latest
apple” is expanded to include “apples,” “fruit,” and “ipod.”

•

Non-contextual—replacement of the search term, for example, where the search term “apple” is
expanded to include “apples.”

The search appliance supports contextual query expansion for all languages in the language bundles.
Support for non-contextual query expansion is currently only available for Dutch, English, French,
German, Italian, Portuguese, and Spanish.

You cannot delete the currently active language bundle. However, you can delete any other inactive
language bundle that you no longer need.

To install and activate a language bundle, use the Serving > Language Bundles page in the Admin
Console. For information about using this page, click Help Center > Serving > Language Bundles in
the Admin Console.

Enabling/Disabling Click-Jacking Defense

Click-Jacking (sometimes called UI Redress) is a type of web attack where an attacker modifies the user
interface of a target web site so that a victim does not realize that he is taking an important action.

For example, a malicious web site could iframe an approval page for granting access to a third-party
application. When a user visits the malicious web site, the site would overlay the approval button on the
targeted site with a dancing hamster. When the user clicked on the hamster, the click would be
processed by the targeted site. The user would unknowingly have granted access to the third-party
application.

When the click-jacking defense is enabled the search appliance sends an X-Frame-Options:
SAMEORIGIN header to prevent the iframe of search results pages.

Also, when click-jacking defense is enabled:

•

The Admin Console Test Center is unable to display the “cached version” of the URLs returned there.

•

Any Iframe-based application used by the customer to show results will, most likely, stop working if
it's accessed by any of the following browsers:

•

Chrome 4.1.249.1042 +

•

Firefox 3.6.9 + (or earlier with NoScript)

•

Internet Explorer (IE) E8 and IE9

•

Opera 10.50 +

•

Safari 4 +

•

Others based on those engines (WebKit, Trident, Gecko)

By default, click-jacking defense is enabled.