Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Enable iframe buster on all pages, except Widgets #2701

Closed
mattab opened this issue Oct 13, 2011 · 8 comments
Closed

Security: Enable iframe buster on all pages, except Widgets #2701

mattab opened this issue Oct 13, 2011 · 8 comments
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Oct 13, 2011

  • Consider extending click jacking http://dev.piwik.org/trac/changeset/4451#file0 and http://piwik.org/faq/how-to/#faq_92 to all pages, including: Email reports, API page.
  • Also, can we remove token_auth from all rendered piwik pages?
    When report is iframed, and the token_auth is NOT specified, it would be nice if the token_auth was NOT displayed at all in no page. This would prevent clickjack even further.
@robocoder
Copy link
Contributor

If we add new settings, e.g.,

  • enable_framed_dashboard
  • enable_framed_widgets

I would recommend secure-by-default. So, the big compatbuster is that the Widgets page would display a warning div if enable_framed_widgets=0.

@mattab
Copy link
Member Author

mattab commented Oct 24, 2011

  • when token_auth is NOT specified, the HTML generated in the Iframe will not contain token_auth. So, it is OK that it is not secure.
  • when token_auth is specicied, the dragndrop vector is due to token_auth found in hard links. AFAIK We can mitigate this issue by removing the token_auth from all links. Then the widgets will be "secure" unless there is some other risk involved I'm missing!

@mattab
Copy link
Member Author

mattab commented Oct 25, 2011

I got confirmation that removing token_auth from all HREF will solve the sec issue.

Also, Anthon we could make secure by default all pages that are NOT widgets (in particular the API age and Email reports page which contain the token). For these, secure by default makes sense (since iframing them is not desired).

Plan would be :

  • allow iframing all widgets and dashboard
  • remove token_auth from all HREF links to prevent drag n drop (token_auth would be added "on click" in javascript?)
  • secure by default (via Xframe deny header) all pages that are NOT (widgets or dashboard)

PS: contact mauro when fixed

@robocoder
Copy link
Contributor

What about this? If any existing sites have anonymous view access, then the updater writes the override setting to config.ini.php. In this case, could we default to no framing anywhere?

@mattab
Copy link
Member Author

mattab commented Nov 22, 2011

but if we don't allow framing of widgets and dashboard, we remove a big feature from Piwik (which would require config file edit to support). It seems in this case that we can keep the feature and make it 100% safe by not having the token_auth in any of the <A> links (which allows for drag n drop attacks).

@mattab
Copy link
Member Author

mattab commented Feb 11, 2012

(In [5804]) Refs #2701
prevent click jacking attacks by dynamically adding the token auth when the link is clicked

@mattab
Copy link
Member Author

mattab commented Feb 11, 2012

(In [5805]) Fixes #2701

  • Iframe busting ALL pages except widgets/dashboard
  • Refactored iframe busting code
  • This new behavior might break some backward compatibility but can be disabled by setting enable_framed_pages = 1 in the config file

@vipsoft your review is welcome on this one!

@robocoder
Copy link
Contributor

Thanks for refactoring.

May want to add a comment to global.ini.php that enable_framed_logins overrides this new setting.

Otherwise looks OK.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Development

No branches or pull requests

2 participants