On 03/10/2016 07:02 PM, Simo Sorce wrote:
On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote:
Hi,
These two options allow preventing clickjacking attacks. They don't
allow open FreeIPA in frame, iframe or object element.
Will these apply to the whole server or just to /ipa ?
Yes, you are right, these apply to whole server. In this new patch they
are applied only on /ipa.
--
Pavel^3 Vomacka
>From 8d68fe6f42d395b6e8a36987b08e879b2bcbed85 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <[email protected]>
Date: Thu, 10 Mar 2016 18:32:50 +0100
Subject: [PATCH] Add X-Frame-Options and frame-ancestors options
These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.
https://fedorahosted.org/freeipa/ticket/4631
---
install/conf/ipa.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 8d4fea35e9c5aa15a611d90fe005090abb1d8e50..323849de71e65dc31cf3ffcaa1d6cecc70c85833 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -71,6 +71,8 @@ WSGIScriptReloading Off
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
+ Header always append X-Frame-Options DENY
+ Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>
# Turn off Apache authentication for sessions
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
