tickets #68263
closedBroken integration due to header on proxy
100%
Description
Proxy sets x-frame-options header on dimension.opensuse.org, breaking its chat.o.o integration
Updated by cboltz almost 4 years ago
Confirmed, haproxy.cfg
has
# additional security headers, as requested by MF-IT security scan at 2020-04-16
http-response set-header X-Frame-Options SAMEORIGIN if is_ssl
http-response set-header X-XSS-Protection "1; mode=block" if is_ssl
http-response set-header X-Content-Type-Options nosniff if is_ssl
http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl
Do you have a better idea how we should set X-Frame-Options
(globally or specific for dimension.o.o)?
https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options looks like it's possible to specify allow-from https://chat.o.o
, but with limited browser support.
Updated by hellcp almost 4 years ago
cboltz wrote:
Confirmed,
haproxy.cfg
has# additional security headers, as requested by MF-IT security scan at 2020-04-16 http-response set-header X-Frame-Options SAMEORIGIN if is_ssl http-response set-header X-XSS-Protection "1; mode=block" if is_ssl http-response set-header X-Content-Type-Options nosniff if is_ssl http-response set-header Referrer-Policy no-referrer-when-downgrade if is_ssl
Do you have a better idea how we should set
X-Frame-Options
(globally or specific for dimension.o.o)?https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options looks like it's possible to specify
allow-from https://chat.o.o
, but with limited browser support.
I would probably ask for it to not be set on dimension.o.o at all, since dimension should be able to work with applications too, not just chat.o.o
Updated by cboltz almost 4 years ago
I tried with
http-response set-header X-Frame-Options SAMEORIGIN if is_ssl !is_dimension
but the only thing that produces is
[WARNING] 172/201010 (13798) : parsing [/etc/haproxy/haproxy.cfg:131] : acl 'is_dimension' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule'
therefore I've reverted my non-working changes.
https://discourse.haproxy.org/t/http-response-set-header-with-condition-not-working/3108 looks somewhat related, but I'm not a fan of doing config changes I don't understand, especially not on one of our most important and visible servers ;-)
Can someone who is more familiar with haproxy please have to look at this?
Updated by hellcp over 3 years ago
Additional note, I remembered today we offer embeddable download pages on software-o-o, I looked it up and the header is also on software-o-o, breaking the entire integration there as well. https://software.opensuse.org/download/doc
Updated by lrupp over 3 years ago
I had a similar problem when trying to integrate etherpad into meet.o.o (and later meet.o.o in moodle.o.o ;-)
From /etc/haproxy/haproxy.cfg:
# the following two lines are needed to allow embedding of etherpad.o.o
# in meet.opensuse.org - using the 'is_etherpad' ACL will NOT work
http-request set-var(txn.host) hdr(Host)
acl no_x-frame-option var(txn.host) -m str etherpad.opensuse.org
Ergo: it should be possible to add an additional line like:
acl no_x-frame-option var(txn.host) -m str chat.opensuse.org
and be done with it.
Leaving it up to those who want to saltify the haproxy.cfg to have a section for "embedded host names" ...
Updated by SchoolGuy about 3 years ago
Can the Jitsi Team help you with that? Or is this purely ha-proxy related?
Updated by lrupp about 3 years ago
- Status changed from Workable to Feedback
SchoolGuy wrote:
Can the Jitsi Team help you with that? Or is this purely ha-proxy related?
This is completely haproxy related.
I thought that someone from the other heroes would take this as a junior job - but it looks like this got forgotten... Sorry!
Checked/Added
acl no_x-frame-option var(txn.host) -m str chat.opensuse.org
acl no_x-frame-option var(txn.host) -m str dimension.opensuse.org
Followed by:
http-response set-header X-Frame-Options SAMEORIGIN if is_ssl !no_x-frame-option
Can you please verify if this fixes your problem?
Updated by lrupp about 3 years ago
- Status changed from Feedback to Closed
- % Done changed from 0 to 100
No feedback for >14 days, closing.