New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Enable iframe buster on all pages, except Widgets #2701
Comments
If we add new settings, e.g.,
I would recommend secure-by-default. So, the big compatbuster is that the Widgets page would display a warning div if enable_framed_widgets=0. |
|
I got confirmation that removing token_auth from all HREF will solve the sec issue. Also, Anthon we could make secure by default all pages that are NOT widgets (in particular the API age and Email reports page which contain the token). For these, secure by default makes sense (since iframing them is not desired). Plan would be :
PS: contact mauro when fixed |
What about this? If any existing sites have anonymous view access, then the updater writes the override setting to config.ini.php. In this case, could we default to no framing anywhere? |
but if we don't allow framing of widgets and dashboard, we remove a big feature from Piwik (which would require config file edit to support). It seems in this case that we can keep the feature and make it 100% safe by not having the token_auth in any of the <A> links (which allows for drag n drop attacks). |
(In [5804]) Refs #2701 |
Thanks for refactoring. May want to add a comment to global.ini.php that enable_framed_logins overrides this new setting. Otherwise looks OK. |
When report is iframed, and the token_auth is NOT specified, it would be nice if the token_auth was NOT displayed at all in no page. This would prevent clickjack even further.
The text was updated successfully, but these errors were encountered: