Bug 39733 - UMC should set X-Frame-Options HTTP response header
UMC should set X-Frame-Options HTTP response header
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.0
Other Linux
: P5 critical (vote)
: UCS 4.2
Assigned To: Florian Best
Jürn Brodersen
: interim-2
Depends on:
Blocks: 44299
  Show dependency treegraph
Reported: 2015-11-03 15:34 CET by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): API change, Security
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-11-03 15:34:08 CET
UMC should set the X-Frame-Options HTTP response header (https://tools.ietf.org/html/rfc7034) to make sure it is not loaded in a Iframe (e.g. Bug #39731).

In general this should be ok:
X-Frame-Options: DENY

For login.html and blank.html (and maybe some iframe-IE-upload things) we need to set:
X-Frame-Options: SAMEORIGIN
Comment 1 Alexander Kläser univentionstaff 2016-03-08 11:48:57 CET
Could that also prevent an attack via images tags, e.g.:

<img src="http://ucs.example.com/univention-management-console/command/lib/server/shutdown">

See also: https://en.wikipedia.org/wiki/Cross-site_request_forgery
Comment 2 Florian Best univentionstaff 2016-03-08 12:02:04 CET
No but this can be achieved with the "Content-Security-Policy" header field.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'self'; frame-src 'self'; font-src 'none'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; report-uri /csp-violation;
Comment 4 Florian Best univentionstaff 2016-08-19 18:03:48 CEST
The apache configuration now contains some security related HTTP response headers which prevents click jacking, cross site scripting, loading UMC in a <iframe>. The restrictions can be overwritten directly in the UMC module (if necessary; shouldn't be the case). The values for the Content-Security-Policy (https://www.w3.org/TR/CSP2/) header can be overwritten via UCR:


I guess the defaults are okay. scripts-src contains piwik.univention.de as well as youtube (for the appcenter).

univention-management-console-frontend (6.0.1-1):
r71763 | Bug #39733: set security relevant HTTP headers

(In reply to Alexander Kläser from comment #1)
> Could that also prevent an attack via images tags, e.g.:
This is not goal of this bug but Bug #39731 is. This bug is to prevent Clickjacking attacks and Cross-Site-Scripting.

TODO: Changelog entry
TODO: UCR variable descriptions
Comment 6 Florian Best univentionstaff 2017-01-17 15:17:23 CET
r75871 | Changelog Bug #39733 Bug #39731

univention-management-console (9.0.15-1):
r75870 | Bug #39733: Add UCR variable description
Comment 7 Florian Best univentionstaff 2017-01-27 16:45:06 CET
I added a test case which checks if these header are set:

r76148 | Bug #43348: Add basic apache/UMC tests
Comment 8 Florian Best univentionstaff 2017-02-02 12:22:03 CET
I added "data:" URI's to the img-src Content-Security-Policy as we display a preview of the uploaded user image.
As /univention/saml/ is loaded in a iframe It has to be allowed as well.

univention-management-console (9.0.21-1):
r76323 | Bug #39733: Allow data: img-src URI's in CSP; Allow /univention/saml to be loaded in iframe
Comment 9 Jürn Brodersen univentionstaff 2017-03-17 16:47:30 CET
What I tested:
ucr set umc/http/content-security-policy/style-src=none
systemctl restart apache2
-> NO css files are delivered -> OK

ucr set umc/http/content-security-policy/style-src="'self' 'unsafe-inline'"
systemctl restart apache2
-> css files are delivered -> OK

User images work -> OK

Changelog -> OK

Looks good to me -> Verified
Comment 10 Stefan Gohmann univentionstaff 2017-04-04 18:28:37 CEST
UCS 4.2 has been released:

If this error occurs again, please use "Clone This Bug".