Task #54837

Click Jacking Protection for all our sites

Added by Michael Stucki over 7 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Target version:
-
Start date:
2014-01-08
Due date:
% Done:

60%

Estimated time:

Description

Copied from OTRS - https://otrs.typo3.org/otrs/index.pl?Action=AgentTicketZoom&TicketID=68048

=== begin ===
Hi,

all our sites (typo3.org, forge.typo3.org, lists.typo3.org) can potentially be included in
an iframe and thus be a target for clickjacking attacks.

Would it be possible to change the webserver (and probably the reverse proxy)
configuration to send the following HTTP headers for every domain?

X-Frame-Options: SAMEORIGIN

This will mitigate this issue for all current browsers.

Kind regards,
Helmut

--
Helmut Hummel
Release Manager TYPO3 CMS 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

=== end ===


Files

get-org.php (199 Bytes) get-org.php index script for get.typo3.org Helmut Hummel, 2014-01-08 21:13
api-org.php (199 Bytes) api-org.php index script for api.typo3.org Helmut Hummel, 2014-01-08 21:13
#1

Updated by Michael Stucki over 7 years ago

  • Status changed from New to Accepted
  • % Done changed from 0 to 50

done on srv115 (nginx server for various sites, but not all)

$ cat /etc/nginx/conf.d/prevent-clickjacking.conf
# see http://forge.typo3.org/issues/54837
add_header        X-Frame-Options        SAMEORIGIN;
#2

Updated by Michael Stucki over 7 years ago

  • % Done changed from 50 to 60

Fixed also on srv102 (lists.typo3.org) where the original report was referring to:

root@srv102:/etc# cat /etc/apache2/conf.d/prevent-clickjacking.conf 
# see http://forge.typo3.org/issues/54837
Header add X-Frame-Options "SAMEORIGIN" 
#3

Updated by Michael Stucki over 7 years ago

  • Project changed from 564 to Server Team

Moving the issue to the public project. I think that's acceptable.

#4

Updated by Michael Stucki over 7 years ago

Hmm, I had to disable the improvement again, since it blocks http://get.typo3.org/ and other sites, which load http://get.typo3.org/ in an iframe.
Unfortunately, it seems impossible to whitelist more than only one URI. Unless that is the case, we cannot use this solution.

(However, the change is still active on lists.typo3.org - I don't think that there are any sites that embed this URL...)

#5

Updated by Michael Stucki over 7 years ago

For each page or folder, you can only specify one of the three main header values of "DENY, "ALLOW-FROM" or "SAMEORIGIN". You can't mix them unfortunately.
ALLOW-FROM does support only 1 origin, not multiple.

So stupid!

#6

Updated by Martin Muskulus over 7 years ago

Coming from Apache's world I would consider vhost/directory/url based setting of this header.

#7

Updated by Helmut Hummel over 7 years ago

Here a suggestion for a iframe replacement. This can be adpated for other sites easily

#8

Updated by Steffen Gebert over 7 years ago

Thanks Helmut, I've changed the two sites.

#9

Updated by Helmut Hummel over 7 years ago

Steffen Gebert wrote:

Thanks Helmut, I've changed the two sites.

Thanks.

I changed api and get pages to exclude the login box as it fails to do the ajax request anyway when accessed through api.typo3.org or get.typo3.org

We can improve this later if needed, but for now I think it is acceptable. Can we activate the HTTP headers then again?

#10

Updated by Helmut Hummel over 7 years ago

besides that, the script needs a little adaption:

I've done it already for get.typo3.org https://review.typo3.org/#/c/26698/

#12

Updated by Steffen Gebert over 7 years ago

And now also live on http://api.typo3.org

#13

Updated by Steffen Gebert over 7 years ago

And I've now enabled the header again on the typo3.org proxy.

Can you check, if everything is fine and then close the issue?

Thanks for your help, Helmut!

#14

Updated by Steffen Gebert over 7 years ago

  • Status changed from Accepted to Under Review
#15

Updated by Steffen Gebert over 7 years ago

And added to forge, too.

#16

Updated by Steffen Gebert over 4 years ago

  • Status changed from Under Review to Resolved

As me migrate to the proxy-based setups, this will be added to all sites over time.

#17

Updated by Steffen Gebert over 4 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF