Project

General

Profile

tickets #68263

Broken integration due to header on proxy

Added by hellcp 6 months ago. Updated about 2 months ago.

Status:
Workable
Priority:
Normal
Assignee:
opensuse-admin
Category:
Core services and infra
Target version:
-
Start date:
2020-06-21
Due date:
% Done:

0%

Estimated time:

Description

Proxy sets x-frame-options header on dimension.opensuse.org, breaking its chat.o.o integration

History

#1 Updated by cboltz 6 months ago

Confirmed, haproxy.cfg has

    # additional security headers, as requested by MF-IT security scan at 2020-04-16
    http-response set-header X-Frame-Options SAMEORIGIN                 if is_ssl
    http-response set-header X-XSS-Protection "1; mode=block"           if is_ssl
    http-response set-header X-Content-Type-Options nosniff             if is_ssl
    http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl

Do you have a better idea how we should set X-Frame-Options (globally or specific for dimension.o.o)?

https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options looks like it's possible to specify allow-from https://chat.o.o, but with limited browser support.

#2 Updated by cboltz 6 months ago

  • Private changed from Yes to No

#3 Updated by hellcp 6 months ago

cboltz wrote:

Confirmed, haproxy.cfg has

    # additional security headers, as requested by MF-IT security scan at 2020-04-16
    http-response set-header X-Frame-Options SAMEORIGIN                 if is_ssl
    http-response set-header X-XSS-Protection "1; mode=block"           if is_ssl
    http-response set-header X-Content-Type-Options nosniff             if is_ssl
    http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl

Do you have a better idea how we should set X-Frame-Options (globally or specific for dimension.o.o)?

https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options looks like it's possible to specify allow-from https://chat.o.o, but with limited browser support.

I would probably ask for it to not be set on dimension.o.o at all, since dimension should be able to work with applications too, not just chat.o.o

#4 Updated by cboltz 6 months ago

I tried with

http-response set-header X-Frame-Options SAMEORIGIN                 if is_ssl !is_dimension

but the only thing that produces is

[WARNING] 172/201010 (13798) : parsing [/etc/haproxy/haproxy.cfg:131] : acl 'is_dimension' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule'

therefore I've reverted my non-working changes.

https://discourse.haproxy.org/t/http-response-set-header-with-condition-not-working/3108 looks somewhat related, but I'm not a fan of doing config changes I don't understand, especially not on one of our most important and visible servers ;-)

Can someone who is more familiar with haproxy please have to look at this?

#5 Updated by hellcp 5 months ago

Additional note, I remembered today we offer embeddable download pages on software-o-o, I looked it up and the header is also on software-o-o, breaking the entire integration there as well. https://software.opensuse.org/download/doc

#6 Updated by lrupp 4 months ago

I had a similar problem when trying to integrate etherpad into meet.o.o (and later meet.o.o in moodle.o.o ;-)

From /etc/haproxy/haproxy.cfg:

    # the following two lines are needed to allow embedding of etherpad.o.o
    # in meet.opensuse.org - using the 'is_etherpad' ACL will NOT work
    http-request set-var(txn.host) hdr(Host)
    acl no_x-frame-option var(txn.host) -m str etherpad.opensuse.org

Ergo: it should be possible to add an additional line like:

    acl no_x-frame-option var(txn.host) -m str chat.opensuse.org

and be done with it.

Leaving it up to those who want to saltify the haproxy.cfg to have a section for "embedded host names" ...

#7 Updated by lrupp about 2 months ago

  • Status changed from New to Workable

Also available in: Atom PDF