From patchwork Mon Nov 4 18:53:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2571 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 476MQ05YLMz43TZ for ; Mon, 4 Nov 2019 18:53:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 476MQ032DQz2v7; Mon, 4 Nov 2019 18:53:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 476MQ02Mx2z2ycF; Mon, 4 Nov 2019 18:53:28 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 476MPy44Nkz2y3W for ; Mon, 4 Nov 2019 18:53:26 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 476MPx495Rz2Ps for ; Mon, 4 Nov 2019 18:53:25 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1572893606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yLtjsN7zyIUiOBbBwG0oaJFeIZ1igzITsUmBZY/dgV0=; b=qEXrkFHeQlJtqsYRPBwn+p5r3U6K9s8Jn0cAs6cnidi0j2O54bNdye0oxb/+1st8NP8qhu fJ7a2jIcbQJj7lCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1572893606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yLtjsN7zyIUiOBbBwG0oaJFeIZ1igzITsUmBZY/dgV0=; b=JXUa+K70x+MvjRrkknrP13TndMLYhbHbzmrx8hMX/3ZyTvYoqyrfunBf5AvYu6KSma17wC +NGJfu9MeXaQMzdDdC95Z+goDzBK2rnXvFZRPbM3avztNSYdVXnf+VXCLFmIILMOK7/iuP sH+z69ncqfCgz5lQujUl8JZAmvtKkhMNfDoCUPMpMmm0lI3tLynXQD5skA24fjmqc7CwQx 7qfr0ozmvpbI2pVIclSuFoEKYW7YYO6u1EZVyMeCO3+N9XwBu9mMDswe6UwXx+RsJ93iS2 jAmIWi+kKpeFp6LE8NFvHLPR3C2ivNzde2hxFOoNWgzV+rGDeYCBUrdawoWktg== Subject: [PATCH 2/2] Apache: deny framing of WebUI from different origins To: "IPFire: Development-List" References: From: peter.mueller@ipfire.org Message-ID: Date: Mon, 04 Nov 2019 18:53:00 +0000 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" There is no legitimate reason to do this. Setting header X-Frame-Options to "sameorigin" is necessary for displaying some collectd graphs on the WebUI. Signed-off-by: Peter Müller Acked-by: Michael Tremer --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 + config/httpd/vhosts.d/ipfire-interface.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index dc1151110..de7b8559d 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,6 +23,7 @@ Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" Header always set Referrer-Policy strict-origin + Header always set X-Frame-Options sameorigin Options ExecCGI diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index d95fa264f..2cf57dd29 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -9,6 +9,7 @@ Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" Header always set Referrer-Policy strict-origin + Header always set X-Frame-Options sameorigin Options ExecCGI