Re: Headers blocking application content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Saikiran,

First of all, thanks for asking for help on this.
Many other users may also be having difficulty with these issues.

But one thing to keep in mind, "suggest a fix immediately" is not something that should be expected of a group of open source volunteers.

The first thing that I would suggest is that we take a look at Content Security Policy in detail.
Here are a couple of links:
- https://www.w3.org/TR/CSP11/#directive-frame-ancestors
- https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive

The first thing I see is that blocking application content would the desired intention.
But in your case the blocking seems to be overactive.

This directive is an agreement between browser and application server.
So you would need to examine both to make sure that they can handle this directive as expected.
Here is an excerpt from one of the links:

Limitations  (Of Content Security Policy frame-ancestors directive)

  • Browser support: frame-ancestors is not supported by all the major browsers yet.
  • X-Frame-Options takes priority: Section 7.7.1 of the CSP Spec says X-Frame-Options should be ignored if frame-ancestors is specified, but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
So this could explain the different behavior you are seeing from the different browsers.
Secondly, I would double check the intent of each of the directives you are using in your Content-Security-Policy example.
Beyond this, it may be helpful if you were to provide a few more details on how you are using Apache HTTP Server for this.
(httpd version?, which MPM? using as a reverse proxy?)

Thanks,

Mike

On 5/4/2017 1:04 PM, saikiran.m29@xxxxxxxxx wrote:

Hi,

 

We are using below header to fix the vulnerabilities.

 

Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

But after that application content is getting blocked while accessing it through browser.

 

 

We have given a try with same header but with different value.

 

Header set Content-Security-Policy "frame-ancestors"

 

Application is able show the content in IE and Firefox but not in chrome. Please suggest a fx immediately.

 

Best Regards

 

http://marketing.wiprodigital.com/apps/wipro-esig/assets/images/logo-01.jpg

  Saikiran M

  Middleware Administrator  | SNXT Operations– Global Service Management Centre

  Wipro Limited

   p:  214924 | Toll Free 1800 200 5656

  #146/147, Metagalli industrial area, Mysore 570 016 | Karnataka, INDIA

cid:image002.png@01D198BF.43C16BA0

DO BUSINESS BETTER

CONSULTING | SYSTEM INTEGRATION | BUSINESS PROCESS SERVICES

 

cid:image003.png@01D198BF.43C16BA0

cid:image004.png@01D198BF.43C16BA0

cid:image005.png@01D198BF.43C16BA0

cid:image006.png@01D198BF.43C16BA0

 

 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux