You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2017/09/07 21:54:00 UTC
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security
headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157727#comment-16157727 ]
Larry McCay commented on KNOX-1028:
-----------------------------------
Turns out there are a couple things going on here:
1. X-Frame-Options enablement property should actually be xframe.options.enabled instead of xframe-options.enabled. When using the proper property name the header is sent as expected. See screen shot.
!with xframe.options.enabled.png!
2. GET methods are configured to be ignored for CSRF - and rightly so. If you change the methodsToIgnore property the enforcement can be seen. See this screen shot.
!csrf enforcement.png!
> X-Frame-Options and other security headers are ineffective
> ----------------------------------------------------------
>
> Key: KNOX-1028
> URL: https://issues.apache.org/jira/browse/KNOX-1028
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.13.0, 0.14.0
> Reporter: Krishna Pandey
> Priority: Critical
> Fix For: 0.14.0
>
> Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the same is not reflecting in HTTP response header. See attached screenshot here.
> !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!.
> Also X-XSRF-Header param is not effective and curl calls without X-XSRF-Header are also passing through. e.g.
>
> {code:java}
> $ curl -iku admin:admin-password https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie: JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
> <?xml version="1.0" encoding="UTF-8"?>
> <ServerVersion>
> <version>0.14.0-SNAPSHOT</version>
> <hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
> </ServerVersion>
> {code}
> Related topology config
> {noformat}
> <provider>
> <role>webappsec</role>
> <name>WebAppSec</name>
> <enabled>true</enabled>
> <param>
> <name>csrf.enabled</name>
> <value>true</value>
> </param>
> <param>
> <name>csrf.customHeader</name>
> <value>X-XSRF-Header</value>
> </param>
> <param>
> <name>csrf.methodsToIgnore</name>
> <value>GET,OPTIONS,HEAD</value>
> </param>
> <param>
> <name>cors.enabled</name>
> <value>true</value>
> </param>
> <param>
> <name>xframe-options.enabled</name>
> <value>true</value>
> </param>
> </provider>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)