Add anti-ClickJack XFS hardening for old browsers
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Although many pages within Horizon leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Reference: http://tinyurl.com/anticlickjack Change-Id: Ibd7acd0d7b4c4d58afcd59f025735bfc9e4c2957 Closes-Bug: 1461154
This commit is contained in:
parent
5bde65705a
commit
056151cc70
@ -493,7 +493,6 @@ OpenStack dashboard to use a specific API version for a given service API.
|
||||
"volume": 2
|
||||
}
|
||||
|
||||
|
||||
``OPENSTACK_ENABLE_PASSWORD_RETRIEVE``
|
||||
--------------------------------------
|
||||
|
||||
@ -1031,6 +1030,29 @@ provided see: ``"/horizon/openstack_dashboard/static/themes/webroot"``
|
||||
Alias /dashboard/media %HORIZON_DIR%/openstack_dashboard/static
|
||||
|
||||
|
||||
``DISALLOW_IFRAME_EMBED``
|
||||
-------------------------
|
||||
|
||||
.. versionadded:: 8.0.0(Liberty)
|
||||
|
||||
Default: ``True``
|
||||
|
||||
This setting can be used to defend against Clickjacking and prevent Horizon from
|
||||
being embedded within an iframe. Legacy browsers are still vulnerable to a
|
||||
Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security
|
||||
hardening where iframes are not used in deployment. When set to true, a
|
||||
``"frame-buster"`` script is inserted into the template header that prevents the
|
||||
web page from being framed and therefore defends against clickjacking.
|
||||
|
||||
For more information see:
|
||||
http://tinyurl.com/anticlickjack
|
||||
|
||||
.. note::
|
||||
|
||||
If your deployment requires the use of iframes, you can set this setting to
|
||||
``False`` to exclude the frame-busting code and allow iframe embedding.
|
||||
|
||||
|
||||
Django Settings (Partial)
|
||||
=========================
|
||||
|
||||
|
@ -19,7 +19,6 @@ WEBROOT = '/'
|
||||
# Do not set it to '/home/', as this will cause circular redirect loop
|
||||
# LOGIN_REDIRECT_URL = WEBROOT
|
||||
|
||||
|
||||
# Required for Django 1.5.
|
||||
# If horizon is running in production (DEBUG is False), set this
|
||||
# with the list of host/domain names that the application can serve.
|
||||
@ -639,3 +638,11 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES']
|
||||
# and are not encrypted on the browser. This is an experimental API and
|
||||
# may be deprecated in the future without notice.
|
||||
#REST_API_ADDITIONAL_SETTINGS = []
|
||||
|
||||
# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
|
||||
# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
|
||||
# Scripting (XFS) vulnerability, so this option allows extra security hardening
|
||||
# where iframes are not used in deployment. Default setting is True.
|
||||
# For more information see:
|
||||
# http://tinyurl.com/anticlickjack
|
||||
# DISALLOW_IFRAME_EMBED = True
|
||||
|
@ -1,4 +1,5 @@
|
||||
{% load branding i18n %}
|
||||
{% load context_selection %}
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
@ -10,6 +11,7 @@
|
||||
{% block css %}
|
||||
{% include "_stylesheets.html" %}
|
||||
{% endblock %}
|
||||
{% iframe_embed_settings %}
|
||||
{% include "horizon/_conf.html" %}
|
||||
{% include "horizon/client_side/_script_loader.html" %}
|
||||
{% include "horizon/_custom_head_js.html" %}
|
||||
|
@ -0,0 +1,12 @@
|
||||
{% if disallow_iframe_embed %}
|
||||
<style id="anti-clickjack">body{display:none !important;}</style>
|
||||
|
||||
<script type='text/javascript' charset="utf-8">
|
||||
if (self === top) {
|
||||
var antiClickjack = document.getElementById("anti-clickjack");
|
||||
antiClickjack.parentNode.removeChild(antiClickjack);
|
||||
} else {
|
||||
top.location = self.location;
|
||||
}
|
||||
</script>
|
||||
{% endif %}
|
@ -88,3 +88,13 @@ def show_region_list(context):
|
||||
'regions': sorted(request.user.available_services_regions),
|
||||
'request': request}
|
||||
return context
|
||||
|
||||
|
||||
@register.inclusion_tag('context_selection/_anti_clickjack.html',
|
||||
takes_context=True)
|
||||
def iframe_embed_settings(context):
|
||||
disallow_iframe_embed = getattr(settings,
|
||||
'DISALLOW_IFRAME_EMBED',
|
||||
True)
|
||||
context = {'disallow_iframe_embed': disallow_iframe_embed}
|
||||
return context
|
||||
|
Loading…
Reference in New Issue
Block a user