Click Jacking Protection for all our sites
Copied from OTRS - https://otrs.typo3.org/otrs/index.pl?Action=AgentTicketZoom&TicketID=68048
=== begin ===
all our sites (typo3.org, forge.typo3.org, lists.typo3.org) can potentially be included in
an iframe and thus be a target for clickjacking attacks.
Would it be possible to change the webserver (and probably the reverse proxy)
configuration to send the following HTTP headers for every domain?
This will mitigate this issue for all current browsers.
Release Manager TYPO3 CMS 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
=== end ===
#1 Updated by Michael Stucki about 6 years ago
- Status changed from New to Accepted
- % Done changed from 0 to 50
done on srv115 (nginx server for various sites, but not all)
$ cat /etc/nginx/conf.d/prevent-clickjacking.conf # see http://forge.typo3.org/issues/54837 add_header X-Frame-Options SAMEORIGIN;
#2 Updated by Michael Stucki about 6 years ago
- % Done changed from 50 to 60
Fixed also on srv102 (lists.typo3.org) where the original report was referring to:
root@srv102:/etc# cat /etc/apache2/conf.d/prevent-clickjacking.conf # see http://forge.typo3.org/issues/54837 Header add X-Frame-Options "SAMEORIGIN"
#4 Updated by Michael Stucki about 6 years ago
Hmm, I had to disable the improvement again, since it blocks http://get.typo3.org/ and other sites, which load http://get.typo3.org/ in an iframe.
Unfortunately, it seems impossible to whitelist more than only one URI. Unless that is the case, we cannot use this solution.
(However, the change is still active on lists.typo3.org - I don't think that there are any sites that embed this URL...)
#5 Updated by Michael Stucki about 6 years ago
For each page or folder, you can only specify one of the three main header values of "DENY, "ALLOW-FROM" or "SAMEORIGIN". You can't mix them unfortunately.
ALLOW-FROM does support only 1 origin, not multiple.
#9 Updated by Helmut Hummel about 6 years ago
Steffen Gebert wrote:
Thanks Helmut, I've changed the two sites.
I changed api and get pages to exclude the login box as it fails to do the ajax request anyway when accessed through api.typo3.org or get.typo3.org
We can improve this later if needed, but for now I think it is acceptable. Can we activate the HTTP headers then again?