Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Security] Add 2 more Content-Security-Policy options #7579

Merged
merged 1 commit into from
Sep 27, 2021
Merged

[Security] Add 2 more Content-Security-Policy options #7579

merged 1 commit into from
Sep 27, 2021

Conversation

driusan
Copy link
Collaborator

@driusan driusan commented Sep 24, 2021

This adds to more CSP directives that are defined in CSP Level 3.
(See: https://w3c.github.io/webappsec-csp/)

frame-ancestors: 'none' prevents LORIS from being embedded in an
iframe. This prevents the class of attacks where a third party embeds
the page in an iframe, but covers it with an invisible div to intercept
clicks or other interactions.

form-action: self prevents forms from submitting data to a target that
is off-site.

Testing Instructions

  1. Embed your LORIS instance in an off-site page such as

    <html>
    <body>
        <iframe src="http://localhost:8000">
    </body>
</html>

  2. Access that page, you should get a security warning instead of an embedded version of your LORIS instance

@driusan driusan changed the base branch from main to 23.0-release September 24, 2021 13:36
@driusan driusan added Add to Release Notes PR change should be highlighted in Release notes (important security, features and bugfixes) Security PR patches a vulnerability, makes resource access changes, or updates dependencies labels Sep 24, 2021
@driusan driusan mentioned this pull request Sep 24, 2021
Merged
@driusan driusan added the Blocked PR awaiting the merge, resolution or rejection of an other Pull Request label Sep 24, 2021
@driusan
[Security] Add 2 more Content-Security-Policy options
8db501d 
This adds to more CSP directives that are defined in CSP Level 3.
(See: https://w3c.github.io/webappsec-csp/)

`frame-ancestors: 'none'` prevents LORIS from being embedded in an
iframe. This prevents the class of attacks where a third party embeds
the page in an iframe, but covers it with an invisible div to intercept
clicks or other interactions.

`form-action: self` prevents forms from submitting data to a target that
is off-site.
@driusan driusan removed the Blocked PR awaiting the merge, resolution or rejection of an other Pull Request label Sep 24, 2021
@driusan driusan merged commit 82b5046 into aces:23.0-release Sep 27, 2021
@ridz1208 ridz1208 added this to the 23.0.7 milestone Sep 30, 2021
@ridz1208 ridz1208 modified the milestones: 23.0.7, 23.0.8 Oct 19, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ridz1208 ridz1208 ridz1208 approved these changes

Assignees
No one assigned
Labels
Add to Release Notes PR change should be highlighted in Release notes (important security, features and bugfixes) Security PR patches a vulnerability, makes resource access changes, or updates dependencies
Projects
None yet
Milestone
23.0.8
Development

Successfully merging this pull request may close these issues.
2 participants
@driusan @ridz1208