Return-Path: X-Original-To: apmail-flex-users-archive@www.apache.org Delivered-To: apmail-flex-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6DC9810DED for ; Tue, 4 Mar 2014 18:30:48 +0000 (UTC) Received: (qmail 53997 invoked by uid 500); 4 Mar 2014 18:30:36 -0000 Delivered-To: apmail-flex-users-archive@flex.apache.org Received: (qmail 52979 invoked by uid 500); 4 Mar 2014 18:30:13 -0000 Mailing-List: contact users-help@flex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@flex.apache.org Delivered-To: mailing list users@flex.apache.org Received: (qmail 52970 invoked by uid 99); 4 Mar 2014 18:30:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Mar 2014 18:30:11 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of pnem@cmail.cz designates 46.255.227.244 as permitted sender) Received: from [46.255.227.244] (HELO gmmr6.centrum.cz) (46.255.227.244) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Mar 2014 18:30:05 +0000 Received: from gm-as2.cent (unknown [10.32.3.101]) by gmmr6.centrum.cz (Postfix) with ESMTP id 404EA1A0002C0 for ; Tue, 4 Mar 2014 19:29:45 +0100 (CET) Received: by gm-as2.cent (Postfix, from userid 65534) id 2F35F6E3A5287; Tue, 4 Mar 2014 19:29:45 +0100 (CET) X-Original-From: pnem@cmail.cz X-Envelope-To: users@flex.apache.org X-Original-IP: 94.113.94.230 Received: from AparatulaHP (ip-94-113-94-230.net.upcbroadband.cz [94.113.94.230]) by gm-smtp2.centrum.cz (Postfix) with ESMTPX id 84E61A4024 for ; Tue, 4 Mar 2014 19:29:44 +0100 (CET) From: "Petr Nemecek" To: Subject: Qualys scan/X-Frame-Options Date: Tue, 4 Mar 2014 19:29:36 +0100 Message-ID: <017701cf37d7$b5112610$1f337230$@cz> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac8317IzejzAU8EWSb6GjXee/5f6/Q== Content-Language: en-us X-Antivirus: avast! (VPS 140304-0, 04.03.2014), Outbound message X-Antivirus-Status: Clean X-Virus-Checked: Checked by ClamAV on apache.org Hi all, one of our clients run Qualys scan on our app. The only finding was see below. The html file is the file that is automatically generated by Flash Builder during the compilation. I assume I will have to add some code into the html. Any idea how to cope with that automatically? I.e. not to have to edit the html manually whenever I export a new release. Many thanks, Petr ************************************ URL: https://www.abc.de/app/app.html Finding # 326356057 First Time Detected 15 Feb 2014 04:07 GMT+0200 Group Information Disclosure Last Time Detected 15 Feb 2014 04:07 GMT+0200 CWE - Last Time Tested 15 Feb 2014 04:07 GMT+0200 OWASP - Times Detected 1 WASC - CVSS Base - CVSS Temporal- Details Threat The page can be easily framed. Anti-framing measures are not used. Impact Clickjacking and Cross-Site Request Forgery (CSRF) can be performed by framing the target site. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Solution Two of the most popular prevention are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. ************************************