5.7.5.4: X-Frame options

Permalink
Hi

So I get an error message when trying to include a page on another domain in an iframe. I've found out that concrete5 got a new addition in 5.7.5.4:

http://documentation.concrete5.org/developers/background/version-hi...

Citation: "Added X-Frame-Options header option for security purposes (thanks hissy)"

So where can I deactivate that? For one page or if needed globally? Anyone knows?

 
Mnkras replied on at Permalink Best Answer Reply
Mnkras
You can set
concrete.security.misc.x_frame_options
to an empty string

(to see how to set it follow the instructions here:http://documentation.concrete5.org/tutorials/enable-database-based-...
Kiesel replied on at Permalink Reply
Thank you Mnkras

That solved it for me. For anyone else who struggles with the same:

1. copy the file /concrete/config/concrete.php into /application/config/
2. Find "x_frame_options" and change the value to "GOFORIT"

Edit: Don't copy the whole concrete.php file. Just take the Security chapter, otherwise weird stuff seems to happen. In my case scripts didn't got loaded anymore when logged out.
Mnkras replied on at Permalink Reply
Mnkras
FYI, you are now sending a header that says GOFORIT...

Mike
Kiesel replied on at Permalink Reply
Is there a better alternative?
simonchilton replied on at Permalink Reply
simonchilton
Hi, really useful tip, thanks!

Any idea how to set it in 5.8+? The link to instructions is broken...
jasteele12 replied on at Permalink Reply
jasteele12
That's concrete5.org's wonderful forum link munger (a very long-standing bug here).

Anytime you want to include a link ALWAYS surround it by two spaces (before and after). Like this:
http://documentation.concrete5.org/tutorials/enable-database-based-...

So (although I am not recommending it) here's what application/config/concrete.php would look like (taken from 8.4.2):
return [
    'security' => [
      'misc' => [
            /*
             * Defence Click Jacking.
             *
             * @var bool|string DENY, SAMEORIGIN, ALLOW-FROM uri
             */
            'x_frame_options' => 'ALLOW-FROM http://a-trusted-site.com',
        ],
    ],
];
That's actually http://a-trusted-site.com above (thanks munger!)

But, ALLOW-FROM will *not* be supported in Chrome (now the most used browser) nor Safari, and c5 really should be using Content-Security-Policy (CSP) *and* X-Frame-Options!

I don't think that's been implemented like you can use in Apache mod_headers:
Header set Content-Security-Policy frame-ancestors a-trusted-site.com


The technical side:

The best option is to implement the Content-Security-Policy header with the frame-ancestors directive. This allows multiple URIs to be configured and is understood by most browsers but IE and Edge 14 and below.

For IE and Edge 14 support you can also set the X-Frame-Options with ALLOW-FROM. If you create a whitelist of values you may be able to set the ALLOW-FROM URI based on the referrer.

Browsers that understand Content-Security-Policy frame-ancestors will *ignore* X-Frame-Options and those that don't understand frame-ancestors will ignore it and use X-Frame-Options if available. Combining https://caniuse.com/#search=csp... and https://caniuse.com/#search=x-frame-options... this will work for all browsers except "UC Browser for Android"

Nice breakdown here: https://www.keycdn.com/blog/x-frame-options/...

See also:
https://www.w3.org/TR/CSP2/#directive-frame-ancestors...
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet...
http://erlend.oftedal.no/blog/tools/xframeoptions/...

and Hardening Your HTTP Security Headers: https://www.keycdn.com/blog/http-security-headers/...