-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 5.8.0-HF40, 6.0-HF31, 7.10-HF10, 8.3
-
Component/s: Web Common
We want to be able to control the sending of an X-Frame-Options header in Nuxeo, to allow better clickjacking protection (https://www.owasp.org/index.php/Clickjacking) directly from Nuxeo instead of having to do it from a front-end proxy.
The default should be SAMEORIGIN in master, but for backward-compatibility it will be skipped in hotfixes (although still configurable).
For 8.3 the implementation is using the standard responseHeaders extension point. To completely deactivate the header one has to use:
<require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require> <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="responseHeaders"> <header name="X-Frame-Options" enabled="false"/> </extension>
–
To restrict the framing (in an iframe) of a Nuxeo site for clickjacking protection, you can define in nuxeo.conf the following: nuxeo.frame.options=SAMEORIGIN (this is the default starting from Nuxeo 8.3).
See https://tools.ietf.org/html/rfc7034 and https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options for more about the possible values. See https://www.owasp.org/index.php/Clickjacking about clickjacking.
