Merge "Add anti-ClickJack XFS hardening for old browsers"

doc/source/topics/settings.rst

@@ -493,7 +493,6 @@ OpenStack dashboard to use a specific API version for a given service API.
         "volume": 2
     }
 
-
 ``OPENSTACK_ENABLE_PASSWORD_RETRIEVE``
 --------------------------------------
 
@@ -1047,6 +1046,29 @@ provided see: ``"/horizon/openstack_dashboard/static/themes/webroot"``
         Alias /dashboard/media %HORIZON_DIR%/openstack_dashboard/static
 
 
+``DISALLOW_IFRAME_EMBED``
+-------------------------
+
+.. versionadded:: 8.0.0(Liberty)
+
+Default: ``True``
+
+This setting can be used to defend against Clickjacking and prevent Horizon from
+being embedded within an iframe. Legacy browsers are still vulnerable to a
+Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security
+hardening where iframes are not used in deployment. When set to true, a
+``"frame-buster"`` script is inserted into the template header that prevents the
+web page from being framed and therefore defends against clickjacking.
+
+For more information see:
+http://tinyurl.com/anticlickjack
+
+.. note::
+
+  If your deployment requires the use of iframes, you can set this setting to
+  ``False`` to exclude the frame-busting code and allow iframe embedding.
+
+
 Django Settings (Partial)
 =========================
 

openstack_dashboard/local/local_settings.py.example

@@ -19,7 +19,6 @@ WEBROOT = '/'
 # Do not set it to '/home/', as this will cause circular redirect loop
 # LOGIN_REDIRECT_URL = WEBROOT
 
-
 # Required for Django 1.5.
 # If horizon is running in production (DEBUG is False), set this
 # with the list of host/domain names that the application can serve.
@@ -640,3 +639,11 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES']
 # and are not encrypted on the browser. This is an experimental API and
 # may be deprecated in the future without notice.
 #REST_API_ADDITIONAL_SETTINGS = []
+
+# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+# Scripting (XFS) vulnerability, so this option allows extra security hardening
+# where iframes are not used in deployment. Default setting is True.
+# For more information see:
+# http://tinyurl.com/anticlickjack
+# DISALLOW_IFRAME_EMBED = True

openstack_dashboard/templates/base.html

@@ -1,4 +1,5 @@
 {% load branding i18n %}
+{% load context_selection %}
 <!DOCTYPE html>
 <html>
   <head>
@@ -10,6 +11,7 @@
     {% block css %}
       {% include "_stylesheets.html" %}
     {% endblock %}
+    {% iframe_embed_settings %}
     {% include "horizon/_conf.html" %}
     {% include "horizon/client_side/_script_loader.html" %}
     {% include "horizon/_custom_head_js.html" %}

openstack_dashboard/templates/context_selection/_anti_clickjack.html

@@ -0,0 +1,12 @@
+{% if disallow_iframe_embed %}
+  <style id="anti-clickjack">body{display:none !important;}</style>
+
+  <script type='text/javascript' charset="utf-8">
+    if (self === top) {
+      var antiClickjack = document.getElementById("anti-clickjack");
+      antiClickjack.parentNode.removeChild(antiClickjack);
+    } else {
+      top.location = self.location;
+    }
+  </script>
+{% endif %}

openstack_dashboard/templatetags/context_selection.py

@@ -88,3 +88,13 @@ def show_region_list(context):
                'regions': sorted(request.user.available_services_regions),
                'request': request}
     return context
+
+
+@register.inclusion_tag('context_selection/_anti_clickjack.html',
+                        takes_context=True)
+def iframe_embed_settings(context):
+    disallow_iframe_embed = getattr(settings,
+                                    'DISALLOW_IFRAME_EMBED',
+                                    True)
+    context = {'disallow_iframe_embed': disallow_iframe_embed}
+    return context