Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-19629

Allow configuration of frame options

    XMLWordPrintable

    Details

    • Tags:
    • Upgrade notes:
      Hide

      nuxeo.frame.options=SAMEORIGIN is the default since Nuxeo 8.3.

      Show
      nuxeo.frame.options=SAMEORIGIN is the default since Nuxeo 8.3.
    • Sprint:
      nxFG 8.3.2

      Description

      We want to be able to control the sending of an X-Frame-Options header in Nuxeo, to allow better clickjacking protection (https://www.owasp.org/index.php/Clickjacking) directly from Nuxeo instead of having to do it from a front-end proxy.

      The default should be SAMEORIGIN in master, but for backward-compatibility it will be skipped in hotfixes (although still configurable).

      For 8.3 the implementation is using the standard responseHeaders extension point. To completely deactivate the header one has to use:

      Deactivation for 8.3
      <require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require>
      
      <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService"
          point="responseHeaders">
        <header name="X-Frame-Options" enabled="false"/>
      </extension>
      

      To restrict the framing (in an iframe) of a Nuxeo site for clickjacking protection, you can define in nuxeo.conf the following: nuxeo.frame.options=SAMEORIGIN (this is the default starting from Nuxeo 8.3).

      See https://tools.ietf.org/html/rfc7034 and https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options for more about the possible values. See https://www.owasp.org/index.php/Clickjacking about clickjacking.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.