Return-Path: <dev-return-15939-archive-asf-public=cust-asf.ponee.io@nifi.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 66DE1200D68
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 14 Dec 2017 04:00:14 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 63677160C24; Thu, 14 Dec 2017 03:00:14 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 705D5160C23
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 14 Dec 2017 04:00:13 +0100 (CET)
Received: (qmail 51753 invoked by uid 500); 14 Dec 2017 03:00:07 -0000
Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@nifi.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@nifi.apache.org>
List-Post: <mailto:dev@nifi.apache.org>
List-Id: <dev.nifi.apache.org>
Reply-To: dev@nifi.apache.org
Delivered-To: mailing list dev@nifi.apache.org
Received: (qmail 51740 invoked by uid 99); 14 Dec 2017 03:00:07 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Dec 2017 03:00:07 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 9924D1A0BFB
	for <dev@nifi.apache.org>; Thu, 14 Dec 2017 03:00:06 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 3.981
X-Spam-Level: ***
X-Spam-Status: No, score=3.981 tagged_above=-999 required=6.31
	tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2,
	KAM_BADIPHTTP=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, WEIRD_PORT=0.001]
	autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id 7VJU9Zgl8GHT for <dev@nifi.apache.org>;
	Thu, 14 Dec 2017 03:00:04 +0000 (UTC)
Received: from mail-pg0-f50.google.com (mail-pg0-f50.google.com [74.125.83.50])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 697E25F1EE
	for <dev@nifi.apache.org>; Thu, 14 Dec 2017 03:00:03 +0000 (UTC)
Received: by mail-pg0-f50.google.com with SMTP id y6so2511052pgp.4
        for <dev@nifi.apache.org>; Wed, 13 Dec 2017 19:00:03 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:message-id:mime-version:subject:date
         :references:to:in-reply-to;
        bh=955PKUyE6YXlVtK/LtEfDDPWuYsvneQhJbP0mIpDJgc=;
        b=bFd+SPUrkkvqUOyKqyrzw5c9UeAiwTqzkz9YR02PLaXcfpw9aowpn8Hyxe3/t3l5Lb
         N3RzlbsCz9QnG/1AAsG4r/Pmrgp1pp4hfI2QjeUsSOSImVWn0thDgU1rrF4JWvxqhhDj
         ohnDQwVd0fEHYMeXRytYxwWobVmU2wieXLs4hXcq3h01ar/OSTvIRsphmuaXXteFHOyM
         hn/51lt3fQnyoX0HCWwZX+toP4JYvuDWPpyD6GpSBa6SWOUv+JdN7CKl4Gyi8QkU2Dd6
         bq6sL/aEK/V2Cd0+Ekn9C9NnLjtSiwlj8LJzwmtXOAmqyS51oMcl3YZSZCC8UpekZ9Hs
         VP9A==
X-Gm-Message-State: AKGB3mKe+2qWsDbqM1TUD9W07XLrKPVX2ZEl8G0NZpgM37EX8rrrZbB9
	ZVPmyOOwlXoOWErw1xGqrFrzWeht
X-Google-Smtp-Source: ACJfBosfJMJKLmRs/OXML/DBShq/veyopRNKC5yzZB3OcwmYQZTuaiBiogiSogS3X2qr2MkiOMXOaA==
X-Received: by 10.99.60.83 with SMTP id i19mr3724636pgn.26.1513220401161;
        Wed, 13 Dec 2017 19:00:01 -0800 (PST)
Received: from [10.137.0.50] ([185.180.13.227])
        by smtp.gmail.com with ESMTPSA id 77sm5513560pfh.43.2017.12.13.18.59.59
        for <dev@nifi.apache.org>
        (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 13 Dec 2017 18:59:59 -0800 (PST)
From: Andy LoPresto <alopresto@apache.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_D41081A6-CF05-427D-A31A-F4ABE411AA8D"; protocol="application/pgp-signature"; micalg=pgp-sha512
Message-Id: <B1500E1A-67E3-4275-9867-47AED065E8FB@apache.org>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Subject: Re: NiFI 1.4.0 UI can't be displayed in an IFrame?
Date: Wed, 13 Dec 2017 18:59:56 -0800
References: <1513102541388-0.post@n7.nabble.com>
To: dev@nifi.apache.org
In-Reply-To: <1513102541388-0.post@n7.nabble.com>
X-Mailer: Apple Mail (2.3124)
archived-at: Thu, 14 Dec 2017 03:00:14 -0000

--Apple-Mail=_D41081A6-CF05-427D-A31A-F4ABE411AA8D
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_457BF651-F58E-41D1-9A41-07625FE0D634"


--Apple-Mail=_457BF651-F58E-41D1-9A41-07625FE0D634
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Virgil,

This was intentionally introduced via NIFI-3907 [1] in Apache NiFi 1.3.0 =
as a mitigation for CVE-2017-7667 [2]. Prior to this change, a malicious =
site could have displayed the NiFi UI and introduced invisible overlays =
such that an unsuspecting user would perform actions like entering =
sensitive credentials into a malicious form field. See here [3] and here =
[4] for further information on Cross Frame Scripting / Clickjacking, as =
the attack is called.

If you have some kind of enterprise portal and have a legitimate need to =
display a NiFi UI within a frame that is not hosted on the same origin, =
you can resort to modifying the value provided to the response header in =
the filter here [5]. If you need this as an included feature in NiFi =
(for example, a configurable URI in nifi.properties), I suggest raising =
a Jira ticket, but I have to caution that it would be a low priority, as =
this actively weakens the security of the system and is not a common use =
case.

[1] https://issues.apache.org/jira/browse/NIFI-3907
[2] https://nifi.apache.org/security.html#CVE-2017-7667
[3] https://www.owasp.org/index.php/Cross_Frame_Scripting =
<https://www.owasp.org/index.php/Cross_Frame_Scripting>
[4] http://msdn.microsoft.com/en-us/library/ms533028%28VS.85%29.aspx =
<http://msdn.microsoft.com/en-us/library/ms533028(VS.85).aspx>
[5] =
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework=
-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/w=
eb/server/JettyServer.java#L1000 =
<https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framewor=
k-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/=
web/server/JettyServer.java#L1000>


Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Dec 12, 2017, at 10:15 AM, tanezavm <vft.bizman@gmail.com> wrote:
>=20
> Hi,
>=20
> I tried to display NiFi 1.4.0 UI in an IFrame but it failed to load =
with
> error below:
>=20
> Refused to display 'https://172.16.0.33:8443/nifi/' in a frame because =
it
> set 'X-Frame-Options' to 'sameorigin'.
>=20
> Note: This setup works using NiFi 1.1.2.
>=20
> Kindly advise.
>=20
>=20
> Thanks,
> Virgil
>=20
>=20
>=20
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/


--Apple-Mail=_457BF651-F58E-41D1-9A41-07625FE0D634
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Virgil,<div class=3D""><br class=3D""></div><div =
class=3D"">This was intentionally introduced via NIFI-3907 [1] in Apache =
NiFi 1.3.0 as a mitigation for CVE-2017-7667 [2]. Prior to this change, =
a malicious site could have displayed the NiFi UI and introduced =
invisible overlays such that an unsuspecting user would perform actions =
like entering sensitive credentials into a malicious form field. See =
here [3] and here [4] for further information on Cross Frame Scripting / =
Clickjacking, as the attack is called.&nbsp;</div><div class=3D""><br =
class=3D""></div><div class=3D"">If you have some kind of enterprise =
portal and have a legitimate need to display a NiFi UI within a frame =
that is not hosted on the same origin, you can resort to modifying the =
value provided to the response header in the filter here [5]. If you =
need this as an included feature in NiFi (for example, a configurable =
URI in nifi.properties), I suggest raising a Jira ticket, but I have to =
caution that it would be a low priority, as this actively weakens the =
security of the system and is not a common use case.&nbsp;</div><div =
class=3D""><br class=3D""></div><div class=3D"">[1]&nbsp;<a =
href=3D"https://issues.apache.org/jira/browse/NIFI-3907" =
class=3D"">https://issues.apache.org/jira/browse/NIFI-3907</a></div><div =
class=3D"">[2]&nbsp;<a =
href=3D"https://nifi.apache.org/security.html#CVE-2017-7667" =
class=3D"">https://nifi.apache.org/security.html#CVE-2017-7667</a></div><d=
iv class=3D"">[3]&nbsp;<a =
href=3D"https://www.owasp.org/index.php/Cross_Frame_Scripting" =
class=3D"">https://www.owasp.org/index.php/Cross_Frame_Scripting</a></div>=
<div class=3D"">[4]&nbsp;<a =
href=3D"http://msdn.microsoft.com/en-us/library/ms533028(VS.85).aspx" =
class=3D"">http://msdn.microsoft.com/en-us/library/ms533028%28VS.85%29.asp=
x</a></div><div class=3D"">[5]&nbsp;<a =
href=3D"https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-f=
ramework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apach=
e/nifi/web/server/JettyServer.java#L1000" =
class=3D"">https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nif=
i-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/ap=
ache/nifi/web/server/JettyServer.java#L1000</a></div><div class=3D""><br =
class=3D""></div><div class=3D""><br class=3D""><div class=3D"">
<div style=3D"letter-spacing: normal; orphans: auto; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; widows: =
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;" class=3D""><div style=3D"letter-spacing: normal; =
orphans: auto; text-align: start; text-indent: 0px; text-transform: =
none; white-space: normal; widows: auto; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><div style=3D"color: rgb(0, 0, 0);" class=3D"">Andy =
LoPresto</div><div style=3D"color: rgb(0, 0, 0);" class=3D""><a =
href=3D"mailto:alopresto@apache.org" =
class=3D"">alopresto@apache.org</a></div><div class=3D""><i =
class=3D""><font color=3D"#c0c0c0" class=3D""><a =
href=3D"mailto:alopresto.apache@gmail.com" =
class=3D"">alopresto.apache@gmail.com</a></font></i></div><div =
style=3D"color: rgb(0, 0, 0);" class=3D"">PGP Fingerprint:&nbsp;70EC =
B3E5 98A6 5A3F D3C4 &nbsp;BACE 3C6E F65B 2F7D EF69</div></div></div>
</div>
<br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Dec 12, 2017, at 10:15 AM, tanezavm &lt;<a =
href=3D"mailto:vft.bizman@gmail.com" =
class=3D"">vft.bizman@gmail.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">Hi,<br=
 class=3D""><br class=3D"">I tried to display NiFi 1.4.0 UI in an IFrame =
but it failed to load with<br class=3D"">error below:<br class=3D""><br =
class=3D"">Refused to display '<a href=3D"https://172.16.0.33:8443/nifi/'"=
 class=3D"">https://172.16.0.33:8443/nifi/'</a> in a frame because it<br =
class=3D"">set 'X-Frame-Options' to 'sameorigin'.<br class=3D""><br =
class=3D"">Note: This setup works using NiFi 1.1.2.<br class=3D""><br =
class=3D"">Kindly advise. <br class=3D""><br class=3D""><br =
class=3D"">Thanks,<br class=3D"">Virgil<br class=3D""><br class=3D""><br =
class=3D""><br class=3D"">--<br class=3D"">Sent from: <a =
href=3D"http://apache-nifi-developer-list.39713.n7.nabble.com/" =
class=3D"">http://apache-nifi-developer-list.39713.n7.nabble.com/</a><br =
class=3D""></div></div></blockquote></div><br =
class=3D""></div></body></html>=

--Apple-Mail=_457BF651-F58E-41D1-9A41-07625FE0D634--

--Apple-Mail=_D41081A6-CF05-427D-A31A-F4ABE411AA8D
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJaMektAAoJEDxu9lsvfe9p3AMQAIecKKkEOsd56Gzn+Qv1FOhj
Nf+CVpMUsLDQmp/lv2+dApxpOMzPEYX/y7cZ76fCQmClgxLBv4n9lHwh7v2ytkWw
pkc3ZboVyTAu3b7p9Cnya1+ahEW3D0l4sAe29tXhVPAFcTNw/b5UHJko7EHNd32o
pHS2M7BGfXGa65y7ntcOABAcoHH9iDD3ya1bLWav7ofqeMyUxPipVfrS93ZK5AmG
dLN2ecJ2ONtwZQmFVU4bz5IotD30PL7Ee9V2gMshiavhFi4EdlvNI5XYm2ThYASj
brevVg+s1NAzb+1gfFjHn2YwmET2UkscnYW7vYLgrnnh0w65DoLfFs1+Zlt5oZha
Sw1HbF0AjvUjMb10hklStox9GsTmxc3a29HU1K2cF4RksVD9Xl93SMUFk4M3my+i
DwP2nuZ5JsN2SIGv6+aGX/kdAoiii2yp7LK/Ieg3iGbcFFfvFn7thRrYlpVZUbNy
kj7HQMro+vvfAh4Xc+SKRD2BbnHOyK8G2A5UDI0RGCa6lnNm02teyU4z/r7DebsO
BZs/qqqc9uhkSbwqagPiqeAmtTS2uiZnPWEoBr4ZlJzTPzwheOaK7oaFOeGHi3tx
wr2Rnouj6H60TtCIcMEkcirQvdRHAs9gErR7XZU/ug3QR8X2cT5/tUZnbxIaf5C/
nrccf9S05JxBvApdPZ8F
=/WKy
-----END PGP SIGNATURE-----

--Apple-Mail=_D41081A6-CF05-427D-A31A-F4ABE411AA8D--