Task #54837

Click Jacking Protection for all our sites

Added by Michael Stucki almost 6 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Target version:
-
Start date:
2014-01-08
Due date:
% Done:

60%


Description

Copied from OTRS - https://otrs.typo3.org/otrs/index.pl?Action=AgentTicketZoom&TicketID=68048

=== begin ===
Hi,

all our sites (typo3.org, forge.typo3.org, lists.typo3.org) can potentially be included in
an iframe and thus be a target for clickjacking attacks.

Would it be possible to change the webserver (and probably the reverse proxy)
configuration to send the following HTTP headers for every domain?

X-Frame-Options: SAMEORIGIN

This will mitigate this issue for all current browsers.

Kind regards,
Helmut

--
Helmut Hummel
Release Manager TYPO3 CMS 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

=== end ===

get-org.php View - index script for get.typo3.org (199 Bytes) Helmut Hummel, 2014-01-08 21:13

api-org.php View - index script for api.typo3.org (199 Bytes) Helmut Hummel, 2014-01-08 21:13

History

#1 Updated by Michael Stucki almost 6 years ago

  • Status changed from New to Accepted
  • % Done changed from 0 to 50

done on srv115 (nginx server for various sites, but not all)

$ cat /etc/nginx/conf.d/prevent-clickjacking.conf
# see http://forge.typo3.org/issues/54837
add_header        X-Frame-Options        SAMEORIGIN;

#2 Updated by Michael Stucki almost 6 years ago

  • % Done changed from 50 to 60

Fixed also on srv102 (lists.typo3.org) where the original report was referring to:

root@srv102:/etc# cat /etc/apache2/conf.d/prevent-clickjacking.conf 
# see http://forge.typo3.org/issues/54837
Header add X-Frame-Options "SAMEORIGIN" 

#3 Updated by Michael Stucki almost 6 years ago

  • Project changed from Server Team (private) to Server Team

Moving the issue to the public project. I think that's acceptable.

#4 Updated by Michael Stucki almost 6 years ago

Hmm, I had to disable the improvement again, since it blocks http://get.typo3.org/ and other sites, which load http://get.typo3.org/ in an iframe.
Unfortunately, it seems impossible to whitelist more than only one URI. Unless that is the case, we cannot use this solution.

(However, the change is still active on lists.typo3.org - I don't think that there are any sites that embed this URL...)

#5 Updated by Michael Stucki almost 6 years ago

For each page or folder, you can only specify one of the three main header values of "DENY, "ALLOW-FROM" or "SAMEORIGIN". You can't mix them unfortunately.
ALLOW-FROM does support only 1 origin, not multiple.

So stupid!

#6 Updated by Martin Muskulus almost 6 years ago

Coming from Apache's world I would consider vhost/directory/url based setting of this header.

#7 Updated by Helmut Hummel almost 6 years ago

Here a suggestion for a iframe replacement. This can be adpated for other sites easily

#8 Updated by Steffen Gebert almost 6 years ago

Thanks Helmut, I've changed the two sites.

#9 Updated by Helmut Hummel almost 6 years ago

Steffen Gebert wrote:

Thanks Helmut, I've changed the two sites.

Thanks.

I changed api and get pages to exclude the login box as it fails to do the ajax request anyway when accessed through api.typo3.org or get.typo3.org

We can improve this later if needed, but for now I think it is acceptable. Can we activate the HTTP headers then again?

#10 Updated by Helmut Hummel almost 6 years ago

besides that, the script needs a little adaption:

I've done it already for get.typo3.org https://review.typo3.org/#/c/26698/

#12 Updated by Steffen Gebert almost 6 years ago

And now also live on http://api.typo3.org

#13 Updated by Steffen Gebert almost 6 years ago

And I've now enabled the header again on the typo3.org proxy.

Can you check, if everything is fine and then close the issue?

Thanks for your help, Helmut!

#14 Updated by Steffen Gebert almost 6 years ago

  • Status changed from Accepted to Under Review

#15 Updated by Steffen Gebert almost 6 years ago

And added to forge, too.

#16 Updated by Steffen Gebert almost 3 years ago

  • Status changed from Under Review to Resolved

As me migrate to the proxy-based setups, this will be added to all sites over time.

#17 Updated by Steffen Gebert over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF