5.7.5.4: X-Frame options
Permalink
Hi
So I get an error message when trying to include a page on another domain in an iframe. I've found out that concrete5 got a new addition in 5.7.5.4:
http://documentation.concrete5.org/developers/background/version-hi...
Citation: "Added X-Frame-Options header option for security purposes (thanks hissy)"
So where can I deactivate that? For one page or if needed globally? Anyone knows?
So I get an error message when trying to include a page on another domain in an iframe. I've found out that concrete5 got a new addition in 5.7.5.4:
http://documentation.concrete5.org/developers/background/version-hi...
Citation: "Added X-Frame-Options header option for security purposes (thanks hissy)"
So where can I deactivate that? For one page or if needed globally? Anyone knows?
Thank you Mnkras
That solved it for me. For anyone else who struggles with the same:
1. copy the file /concrete/config/concrete.php into /application/config/
2. Find "x_frame_options" and change the value to "GOFORIT"
Edit: Don't copy the whole concrete.php file. Just take the Security chapter, otherwise weird stuff seems to happen. In my case scripts didn't got loaded anymore when logged out.
That solved it for me. For anyone else who struggles with the same:
1. copy the file /concrete/config/concrete.php into /application/config/
2. Find "x_frame_options" and change the value to "GOFORIT"
Edit: Don't copy the whole concrete.php file. Just take the Security chapter, otherwise weird stuff seems to happen. In my case scripts didn't got loaded anymore when logged out.
FYI, you are now sending a header that says GOFORIT...
Mike
Mike
Is there a better alternative?
Hi, really useful tip, thanks!
Any idea how to set it in 5.8+? The link to instructions is broken...
Any idea how to set it in 5.8+? The link to instructions is broken...
That's concrete5.org's wonderful forum link munger (a very long-standing bug here).
Anytime you want to include a link ALWAYS surround it by two spaces (before and after). Like this:
http://documentation.concrete5.org/tutorials/enable-database-based-...
So (although I am not recommending it) here's what application/config/concrete.php would look like (taken from 8.4.2):
That's actually http://a-trusted-site.com above (thanks munger!)
But, ALLOW-FROM will *not* be supported in Chrome (now the most used browser) nor Safari, and c5 really should be using Content-Security-Policy (CSP) *and* X-Frame-Options!
I don't think that's been implemented like you can use in Apache mod_headers:
The technical side:
The best option is to implement the Content-Security-Policy header with the frame-ancestors directive. This allows multiple URIs to be configured and is understood by most browsers but IE and Edge 14 and below.
For IE and Edge 14 support you can also set the X-Frame-Options with ALLOW-FROM. If you create a whitelist of values you may be able to set the ALLOW-FROM URI based on the referrer.
Browsers that understand Content-Security-Policy frame-ancestors will *ignore* X-Frame-Options and those that don't understand frame-ancestors will ignore it and use X-Frame-Options if available. Combining https://caniuse.com/#search=csp... and https://caniuse.com/#search=x-frame-options... this will work for all browsers except "UC Browser for Android"
Nice breakdown here: https://www.keycdn.com/blog/x-frame-options/...
See also:
https://www.w3.org/TR/CSP2/#directive-frame-ancestors...
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet...
http://erlend.oftedal.no/blog/tools/xframeoptions/...
and Hardening Your HTTP Security Headers: https://www.keycdn.com/blog/http-security-headers/...
Anytime you want to include a link ALWAYS surround it by two spaces (before and after). Like this:
http://documentation.concrete5.org/tutorials/enable-database-based-...
So (although I am not recommending it) here's what application/config/concrete.php would look like (taken from 8.4.2):
return [ 'security' => [ 'misc' => [ /* * Defence Click Jacking. * * @var bool|string DENY, SAMEORIGIN, ALLOW-FROM uri */ 'x_frame_options' => 'ALLOW-FROM http://a-trusted-site.com', ], ], ];
But, ALLOW-FROM will *not* be supported in Chrome (now the most used browser) nor Safari, and c5 really should be using Content-Security-Policy (CSP) *and* X-Frame-Options!
I don't think that's been implemented like you can use in Apache mod_headers:
Header set Content-Security-Policy frame-ancestors a-trusted-site.com
The technical side:
The best option is to implement the Content-Security-Policy header with the frame-ancestors directive. This allows multiple URIs to be configured and is understood by most browsers but IE and Edge 14 and below.
For IE and Edge 14 support you can also set the X-Frame-Options with ALLOW-FROM. If you create a whitelist of values you may be able to set the ALLOW-FROM URI based on the referrer.
Browsers that understand Content-Security-Policy frame-ancestors will *ignore* X-Frame-Options and those that don't understand frame-ancestors will ignore it and use X-Frame-Options if available. Combining https://caniuse.com/#search=csp... and https://caniuse.com/#search=x-frame-options... this will work for all browsers except "UC Browser for Android"
Nice breakdown here: https://www.keycdn.com/blog/x-frame-options/...
See also:
https://www.w3.org/TR/CSP2/#directive-frame-ancestors...
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet...
http://erlend.oftedal.no/blog/tools/xframeoptions/...
and Hardening Your HTTP Security Headers: https://www.keycdn.com/blog/http-security-headers/...
(to see how to set it follow the instructions here:http://documentation.concrete5.org/tutorials/enable-database-based-...