httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Rumph <mike.ru...@oracle.com>
Subject Re: [users@httpd] Headers blocking application content
Date Thu, 04 May 2017 21:41:14 GMT
Hello Saikiran,

First of all, thanks for asking for help on this.
Many other users may also be having difficulty with these issues.

But one thing to keep in mind, "suggest a fix immediately" is not 
something that should be expected of a group of open source volunteers.

The first thing that I would suggest is that we take a look at Content 
Security Policy in detail.
Here are a couple of links:
- https://www.w3.org/TR/CSP11/#directive-frame-ancestors
- 
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive

The first thing I see is that blocking application content would the 
desired intention.
But in your case the blocking seems to be overactive.

This directive is an agreement between browser and application server.
So you would need to examine both to make sure that they can handle this 
directive as expected.
Here is an excerpt from one of the links:


      Limitations  (OfContent Security Policy frame-ancestors directive)

  * *Browser support:* frame-ancestors is not supported by all the major
    browsers yet.
  * *X-Frame-Options takes priority:* Section 7.7.1 of the CSP Spec
    <https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options>
    says X-Frame-Options should be ignored if frame-ancestors is
    specified, but Chrome 40 & Firefox 35 ignore the frame-ancestors
    directive and follow the X-Frame-Options header instead.

So this could explain the different behavior you are seeing from the 
different browsers.
Secondly, I would double check the intent of each of the directives you 
are using in your Content-Security-Policy example.
Beyond this, it may be helpful if you were to provide a few more details 
on how you are using Apache HTTP Server for this.
(httpd version?, which MPM? using as a reverse proxy?)

Thanks,

Mike

On 5/4/2017 1:04 PM, saikiran.m29@wipro.com wrote:
>
> Hi,
>
> We are using below header to fix the vulnerabilities.
>
> *Header set Content-Security-Policy "default-src 'none'; script-src 
> 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"*
>
> But after that application content is getting blocked while accessing 
> it through browser.
>
> We have given a try with same header but with different value.
>
> *Header set Content-Security-Policy "frame-ancestors"*
>
> Application is able show the content in IE and Firefox but not in 
> chrome. Please suggest a fx immediately.
>
> Best Regards
>
> http://marketing.wiprodigital.com/apps/wipro-esig/assets/images/logo-01.jpg 
> <http://www.wipro.com/>
>
> 	
>
> *Saikiran M*
>
> *Middleware Administrator  | SNXT Operations***– Global Service 
> Management Centre
>
> *Wipro Limited*
>
> p:  214924 | *Toll Free* 1800 200 5656
>
> #146/147, Metagalli industrial area, Mysore 570 016 | Karnataka, INDIA
>
> cid:image002.png@01D198BF.43C16BA0
>
> *DO BUSINESS BETTER*
>
> CONSULTING | SYSTEM INTEGRATION | BUSINESS PROCESS SERVICES
>
> 	
>
> 	
>
> cid:image003.png@01D198BF.43C16BA0 
> <http://www.facebook.com/WiproTechnologies>
>
> 	
>
> cid:image004.png@01D198BF.43C16BA0 <http://twitter.com/Wipro>
>
> 	
>
> cid:image005.png@01D198BF.43C16BA0 <http://www.linkedin.com/company/1318>
>
> 	
>
> cid:image006.png@01D198BF.43C16BA0 
> <http://www.youtube.com/user/Wiprovideos>
>
> The information contained in this electronic message and any 
> attachments to this message are intended for the exclusive use of the 
> addressee(s) and may contain proprietary, confidential or privileged 
> information. If you are not the intended recipient, you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately and destroy all copies of this message and any 
> attachments. WARNING: Computer viruses can be transmitted via email. 
> The recipient should check this email and any attachments for the 
> presence of viruses. The company accepts no liability for any damage 
> caused by any virus transmitted by this email. www.wipro.com 


Mime
View raw message