Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"X-Frame-Options" header set by Apache prevents opiframe from being used by RP #543

Closed
aliaksander-samuseu opened this issue May 16, 2017 · 1 comment
Closed

"X-Frame-Options" header set by Apache prevents opiframe from being used by RP #543

aliaksander-samuseu opened this issue May 16, 2017 · 1 comment
Assignees
@qbert2k
Labels
bug bug in code high priority resolution must be prioritized
Milestone
CE 3.0.2

Comments

@aliaksander-samuseu
Copy link
Contributor

aliaksander-samuseu commented May 16, 2017
edited
Loading

Environment:
CentOS6.7/Ubuntu 14.04, Gluu CE 3.0.1/Gluu CE 3.1

Steps to reproduce:

  1. Sent a request similar to below (you may need a valid session cookie for it to work):
GET /oxauth/opiframe HTTP/1.1
Host: idp.gsu.edu
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://oidc-js.site:5000/user-manager-sample.html
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: csfcfc=eFL7H6eZ; session_state=f7e8e1d1-8d5d-4cb5-ac33-0e3dbf0111f4

Result:
Response contains "X-Frame-Options: SAMEORIGIN" header what prevents RP from using it in iframe as it should to be used per this spec
This happens because of this line added in 3.x to Apache's config:

        # Security headers
        Header always append X-Frame-Options SAMEORIGIN

Expected result:
No "X-Frame-Options" header in response from /oxauth/opiframe. Or header with a value allowing to use it in iframe at this origin.
@aliaksander-samuseu aliaksander-samuseu added bug bug in code high priority resolution must be prioritized labels May 16, 2017
@aliaksander-samuseu aliaksander-samuseu added this to the CE 3.0.2 milestone May 16, 2017
@yuriyz yuriyz assigned qbert2k and unassigned yuriyz May 16, 2017
@qbert2k
Copy link
Contributor

qbert2k commented May 17, 2017

GluuFederation/community-edition-setup@4a3029c

@qbert2k qbert2k closed this as completed May 17, 2017
@aliaksander-samuseu aliaksander-samuseu mentioned this issue May 25, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qbert2k qbert2k

Labels
bug bug in code high priority resolution must be prioritized
Projects
None yet
Milestone
CE 3.0.2
Development

No branches or pull requests
3 participants
@yuriyz @qbert2k @aliaksander-samuseu