Univention Bugzilla – Bug 39733
UMC should set X-Frame-Options HTTP response header
Last modified: 2021-06-23 07:29:10 CEST
UMC should set the X-Frame-Options HTTP response header (https://tools.ietf.org/html/rfc7034) to make sure it is not loaded in a Iframe (e.g. Bug #39731).
In general this should be ok:
For login.html and blank.html (and maybe some iframe-IE-upload things) we need to set:
Could that also prevent an attack via images tags, e.g.:
See also: https://en.wikipedia.org/wiki/Cross-site_request_forgery
No but this can be achieved with the "Content-Security-Policy" header field.
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'self'; frame-src 'self'; font-src 'none'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; report-uri /csp-violation;
The apache configuration now contains some security related HTTP response headers which prevents click jacking, cross site scripting, loading UMC in a <iframe>. The restrictions can be overwritten directly in the UMC module (if necessary; shouldn't be the case). The values for the Content-Security-Policy (https://www.w3.org/TR/CSP2/) header can be overwritten via UCR:
I guess the defaults are okay. scripts-src contains piwik.univention.de as well as youtube (for the appcenter).
r71763 | Bug #39733: set security relevant HTTP headers
(In reply to Alexander Kläser from comment #1)
> Could that also prevent an attack via images tags, e.g.:
This is not goal of this bug but Bug #39731 is. This bug is to prevent Clickjacking attacks and Cross-Site-Scripting.
TODO: Changelog entry
TODO: UCR variable descriptions
r75871 | Changelog Bug #39733 Bug #39731
r75870 | Bug #39733: Add UCR variable description
I added a test case which checks if these header are set:
r76148 | Bug #43348: Add basic apache/UMC tests
I added "data:" URI's to the img-src Content-Security-Policy as we display a preview of the uploaded user image.
As /univention/saml/ is loaded in a iframe It has to be allowed as well.
r76323 | Bug #39733: Allow data: img-src URI's in CSP; Allow /univention/saml to be loaded in iframe
What I tested:
ucr set umc/http/content-security-policy/style-src=none
systemctl restart apache2
-> NO css files are delivered -> OK
ucr set umc/http/content-security-policy/style-src="'self' 'unsafe-inline'"
systemctl restart apache2
-> css files are delivered -> OK
User images work -> OK
Changelog -> OK
Looks good to me -> Verified
UCS 4.2 has been released:
If this error occurs again, please use "Clone This Bug".