← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1118327] Re: Horizon Pages Loadable in Third-Party HTML Frames

 

** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1118327

Title:
  Horizon Pages Loadable in Third-Party HTML Frames

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  It is possible to load the web application in HTML FRAMES from third-
  party web sites, which makes Horizon vulnerable to various client-side
  attacks such as Clickjacking [1].

  The following code on another webserver will load the page from
  Horizon:

  <html>
    <title>XFS test</title>
    <body>
      <iframe src="https://horizonwebserver/nova/"; width="100%" height="100%"></iframe>
    </body>
  </html>

  An attacker would need to load the web application in an HTML frame
  located on a third-party website. By applying an opaque overlay
  containing other content over the target web application and coercing
  the user to interact with the overlay, user mouse events and key
  presses can be directed through to the target web application.

  A successful attack could allow a malicious user to post fraudulent
  transactions.

  Horizon should ensure that all pages include a JavaScript Frame Killer
  to ensure that the page is only loaded within frames from authorised
  third-party domains or hosts. An example of such a Frame Killer is
  included below.

  <style> htmls{display : none}; </style>
  <script> if (self == top) { document.documentElement.style.display = ?block?; } else { top.location = self.location; } </script>

  Other options rely on adding the X-Frame-Options in the header. This
  could be done in the web server's configuration [2], or in Django
  itself [3].

  [1] https://www.owasp.org/index.php/Clickjacking
  [2] https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header
  [3] https://docs.djangoproject.com/en/dev/ref/clickjacking/

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118327/+subscriptions