New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Prevent iframe embedding by default #8807
[WIP] Prevent iframe embedding by default #8807
Conversation
7892001
to
9269269
Compare
|
Reviewed 1 of 1 files at r1, 1 of 1 files at r2. Comments from Reviewable |
|
Rebase needed |
|
hey @eternoendless what about all demos on Addons? :P |
|
Oh thanks @kpodemski I hadn't thought of that Maybe we should add an option to configure the allowed domains somewhere in the BO. |
|
has this been forgotten? or is it purposely ignored? |
|
I have blogged about it on Dzone go ahead and read it. I will push a commit
soon, thereby avoiding this scenario
…On Tue, 21 Aug 2018, 8:09 pm jolelievre, ***@***.***> wrote:
has this been forgotten? or is it purposely ignored?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8807 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AgQoVCT5BUld8HFP2nEp1tz6UJkSwIPJks5uTBuHgaJpZM4STfEW>
.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CSP and X-Frame-Options headers successfully block this attack from happening.
|
yes but from what I understand it is not that simple as the demos on Addons need to display PrestaShop in a frame, so we can't block it all the time |
|
Can you elaborate?
…On Tue, 21 Aug 2018, 8:24 pm jolelievre, ***@***.***> wrote:
yes but from what I understand it is not that simple as the demos on
Addons need to display PrestaShop in a frame, so we can't block it all the
time
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8807 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AgQoVKrIcShq2eM6C_xrTSp5AVrZ52VEks5uTB8MgaJpZM4STfEW>
.
|
|
Or you might as well want to implement a back end functionality which might
allow the Administrator user to change the frame or CSP permissions as per
feasibility if that's what you hinted at?
…On Tue, 21 Aug 2018, 8:24 pm A Khan, ***@***.***> wrote:
Can you elaborate?
On Tue, 21 Aug 2018, 8:24 pm jolelievre, ***@***.***> wrote:
> yes but from what I understand it is not that simple as the demos on
> Addons need to display PrestaShop in a frame, so we can't block it all the
> time
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#8807 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AgQoVKrIcShq2eM6C_xrTSp5AVrZ52VEks5uTB8MgaJpZM4STfEW>
> .
>
|
|
Yes, I think that's what @eternoendless suggested, it should be configurable it the BO |
|
Sure , the Administrator can simply change the nginx conf just for that ,
generally speaking things or frameworks as well as applications come out of
the box with this security feature enabled by default which should be done
in case of prestashop as well. That again emphasises on security by default
and enforced strictly.
…On Tue, 21 Aug 2018, 8:30 pm jolelievre, ***@***.***> wrote:
Yes, I think that's what @eternoendless <https://github.com/eternoendless>
suggested, it should be configurable it the BO
Maybe the default value would be to block any frame, but this could be
overriden by a specified allowed domain
I lack knowledge about the addons platform actually, so I am not totally
sure
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8807 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AgQoVLCyQbJIoBCKSlbZKQBEg21iyJCAks5uTCCYgaJpZM4STfEW>
.
|
| @@ -2218,6 +2218,10 @@ public static function generateHtaccess($path = null, $rewrite_settings = null, | |||
| fwrite($write_fd, "# .htaccess automaticaly generated by PrestaShop e-commerce open-source solution\n"); | |||
| fwrite($write_fd, "# http://www.prestashop.com - http://www.prestashop.com/forums\n\n"); | |||
|
|
|||
| // prevent click-jacking | |||
| fwrite($write_fd, "Header append Content-Security-Policy \"frame-ancestors 'self';\"\n"); | |||
| fwrite($write_fd, "Header append X-Frame-Options SAMEORIGIN\n\n"); | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be surrounded by <IfModule mod_headers.c>, which already exist in this .htaccess.
Please move these lines further in the method, as all environment does not have the "header" module enabled (for instance, the docker images).
|
I'd strongly recommend to think about adding "Security Enhancements" link to e.g. BO/Configure/Advanced Parameters/Security Enhancements where Administrator could enable HTTP response headers like: Vulnerability scanners complain about omission of these headers by default.
Regarding demonstrating AddOns: PrestaShop websites used for demonstration purposes could have some security options disabled (should the "X-Frame-Options: SAMEORIGIN" break the demo). |
|
Does this PR is still relevant ? |
|
@PierreRambaud I think we should update this PR in the scope of our security reinforcement for PrestaShop |
Woot didn't see this notification. |
|
Like I said before:
I'm closing this PR out of staleness, but @PierreRambaud as @matks said, this is something that could be done as a security feature. |
Many thanks to Arif Khan for having pointed this out!
This change is