[
https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Krishna Pandey updated KNOX-1028:
---------------------------------
Description:
When xframe-options.enabled param is set to true in WebAppSec provider, the
same is not reflecting in HTTP response header. See attached screenshot here
!Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. Also X-XSRF-Header param
is not effective and curl calls without X-XSRF-Header are also passing through.
e.g.
{code:java}
$ curl -iku admin:admin-password
https://localhost:8443/gateway/admin/api/v1/version
HTTP/1.1 200 OK
Date: Thu, 07 Sep 2017 16:57:27 GMT
Set-Cookie:
JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
06-Sep-2017 16:57:27 GMT
Content-Type: application/xml
Content-Length: 167
Server: Jetty(9.2.15.v20160210)
<?xml version="1.0" encoding="UTF-8"?>
<ServerVersion>
<version>0.14.0-SNAPSHOT</version>
<hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
</ServerVersion>
{code}
Related topology config
{noformat}
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>csrf.enabled</name>
<value>true</value>
</param>
<param>
<name>csrf.customHeader</name>
<value>X-XSRF-Header</value>
</param>
<param>
<name>csrf.methodsToIgnore</name>
<value>GET,OPTIONS,HEAD</value>
</param>
<param>
<name>cors.enabled</name>
<value>true</value>
</param>
<param>
<name>xframe-options.enabled</name>
<value>true</value>
</param>
</provider>
{noformat}
was:
When xframe-options.enabled param is set to true in WebAppSec provider, the
same is not reflecting in HTTP response header. See attached screenshot here
!|width=100%!. Also X-XSRF-Header param is not effective and curl calls without
X-XSRF-Header are also passing through. e.g.
{code:java}
$ curl -iku admin:admin-password
https://localhost:8443/gateway/admin/api/v1/version
HTTP/1.1 200 OK
Date: Thu, 07 Sep 2017 16:57:27 GMT
Set-Cookie:
JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
06-Sep-2017 16:57:27 GMT
Content-Type: application/xml
Content-Length: 167
Server: Jetty(9.2.15.v20160210)
<?xml version="1.0" encoding="UTF-8"?>
<ServerVersion>
<version>0.14.0-SNAPSHOT</version>
<hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
</ServerVersion>
{code}
Related topology config
{noformat}
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>csrf.enabled</name>
<value>true</value>
</param>
<param>
<name>csrf.customHeader</name>
<value>X-XSRF-Header</value>
</param>
<param>
<name>csrf.methodsToIgnore</name>
<value>GET,OPTIONS,HEAD</value>
</param>
<param>
<name>cors.enabled</name>
<value>true</value>
</param>
<param>
<name>xframe-options.enabled</name>
<value>true</value>
</param>
</provider>
{noformat}
> X-Frame-Options and other security headers are ineffective
> ----------------------------------------------------------
>
> Key: KNOX-1028
> URL: https://issues.apache.org/jira/browse/KNOX-1028
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.13.0, 0.14.0
> Reporter: Krishna Pandey
> Priority: Critical
> Attachments: Screen Shot 2017-09-07 at 10.31.20 PM.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the
> same is not reflecting in HTTP response header. See attached screenshot here
> !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. Also X-XSRF-Header
> param is not effective and curl calls without X-XSRF-Header are also passing
> through. e.g.
>
> {code:java}
> $ curl -iku admin:admin-password
> https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie:
> JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
> 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
> <?xml version="1.0" encoding="UTF-8"?>
> <ServerVersion>
> <version>0.14.0-SNAPSHOT</version>
> <hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
> </ServerVersion>
> {code}
> Related topology config
> {noformat}
> <provider>
> <role>webappsec</role>
> <name>WebAppSec</name>
> <enabled>true</enabled>
> <param>
> <name>csrf.enabled</name>
> <value>true</value>
> </param>
> <param>
> <name>csrf.customHeader</name>
> <value>X-XSRF-Header</value>
> </param>
> <param>
> <name>csrf.methodsToIgnore</name>
> <value>GET,OPTIONS,HEAD</value>
> </param>
> <param>
> <name>cors.enabled</name>
> <value>true</value>
> </param>
> <param>
> <name>xframe-options.enabled</name>
> <value>true</value>
> </param>
> </provider>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
