On 03/10/2016 07:02 PM, Simo Sorce wrote:
On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote:
Hi,

These two options allow preventing clickjacking attacks. They don't
allow open FreeIPA in frame, iframe or object element.
Will these apply to the whole server or just to /ipa ?

Yes, you are right, these apply to whole server. In this new patch they are applied only on /ipa.

--
Pavel^3 Vomacka
>From 8d68fe6f42d395b6e8a36987b08e879b2bcbed85 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvoma...@redhat.com>
Date: Thu, 10 Mar 2016 18:32:50 +0100
Subject: [PATCH] Add X-Frame-Options and frame-ancestors options

These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.

https://fedorahosted.org/freeipa/ticket/4631
---
 install/conf/ipa.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 8d4fea35e9c5aa15a611d90fe005090abb1d8e50..323849de71e65dc31cf3ffcaa1d6cecc70c85833 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -71,6 +71,8 @@ WSGIScriptReloading Off
   ErrorDocument 401 /ipa/errors/unauthorized.html
   WSGIProcessGroup ipa
   WSGIApplicationGroup ipa
+  Header always append X-Frame-Options DENY
+  Header always append Content-Security-Policy "frame-ancestors 'none'"
 </Location>
 
 # Turn off Apache authentication for sessions
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to