MashZone NextGen 10.2 | Appendix | Administration | MashZone NextGen Security | Anti-Clickjacking prevention when using iFrame
 
Anti-Clickjacking prevention when using iFrame
For security reason we recommend to configure your iFrame setting to protect your MashZone NextGen installation against clickjacking attacks.
Clickjacking is a vulnerability where an attacker creates a page that uses iFrame to render another page, then creates invisible controls on top of the rendered page that may be able to sniff user input.
General information on the clickjacking attack vector can be found on https://www.owasp.org/index.php/Clickjacking.
MashZone NextGen offers two ways to prevent successful clickjacking attacks. In order to allow iFrame on trusted sites, MashZone NextGen uses X-Frame-Options providing the ALLOW-FROM value. Using this, a website A can configure the header to carry the top level URI of a website B which is allowed to iframe website A. A second way to prevent clickjacking attacks is using the Content-Security-Policy that is supported by most web browsers.
Details on how to use iFrame with MashZone NextGen can be found inEmbedding MashZone NextGen in external system environments.
MashZone NextGen HTTP header security filter
MashZone NextGen provides a specific HTTP header security filter included in the web.xml file. By default, this filter always sends the X-Frame-Option: SAMEORIGIN, that can be configured to send ALLOW-FROM to any number of trusted websites. This HTTP response header instructs the browser to refuse to render any content from MashZone NextGen in an iFrame, unless the iFrame is within MashZone NextGen itself.
HttpHeaderSecurityFilter
Following the commented configuration in the web.xml file.
<filter>
<filter-name>HTTP Header Security Filter</filter-name>
<filter-class>
com.jackbe.jbp.sas.security.ui.http.HttpHeaderSecurityFilter
</filter-class>
<!-- Init Param: antiClickJackingEnabled

Should the anti click-jacking header (X-Frame-Options)
be set on the response.
Valid options: true or false

When true, X-Frame-Options will always contain "SAMEORIGIN".
This instructs browsers to disallow iframing
of MzNG content outside of the MzNG application itself.

If false, X-Frame-Options will
not be sent at all, which completely disables clickjacking protection
allows any site to iframe MzNG)

Note: X-Frame-Options is superseded by Content-Security-Policy.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-->
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<!-- Init Param: antiClickJackingUris

List of comma separated Uris for sites allowed to iframe content in MzNG.

To allow external sites to iframe MzNG content, uncomment this init param,
and add the site uri to the list.
Also configure the 'Content Security Policy' filter below.

If the request to MzNG contains a referer value matching the scheme,
host and port
of one of the Uris in the list, the X-Frame-Options header will send
"ALLOW-FROM uri'. This allows the browser to render the iframe.
If there is no match (or the list is empty) X-Frame-Options will send
"SAMEORIGIN" and the browser will refuse to render the iframe

Any site added to this list should also be added to
'Content Security Policy' header.
<init-param>
<param-name>antiClickJackingUris</param-name>
<param-value>http://some-server.com</param-value>
</init-param>
-->
<!-- Init param: hstsEnabled

Enable HTTP Strict Transport Security (HSTS) header
(Strict-Transport-Security) to be set on the response for
secure requests -->
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<!-- Init Param: hstsMaxAgeSeconds

The max age value that should be used in the HSTS header.
Negative values will be
treated as zero. If not specified, the default value of 0 will be used.
-->
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>604800</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HTTP Header Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The antiClickJackingUris parameters can take a list of comma separated URIs. The parameter is commented out by default. Any request for a MashZone NextGen resource containing a "Referer" header field matching the scheme, host and port of a URI in the antiClickJackingUris parameter will result in a response containing the X-Frame-Options response header with the appropriate ALLOW-FROM value. If there is no match, then the X-Frame-Options will carry the SAMEORIGIN value.
Example
The website http://website-a.com is configured as trusted, and therefore it is listed in the antiClickJackingUris parameter, and contains a page that uses iFrame to embed a MashZone NextGen dashboard. When a user visits this page on website-a.com, the browser will attempt to fetch the iFramed dashboard from MashZone NextGen. The request generated by the browser will carry the HTTP request header "Referer" containing the full URI to the page containing the iFrame. MashZone NextGen will match the "Referer" URI with the trusted URI from antiClickJackingUris parameter, and recognize that the website is trusted. As a result, the response will carry the HTTP response header "X-Frame-Options: ALLOW-FROM http://website-a.com ". The browser will then allow the iFrame to render.
MashZone NextGen Content Security Policy
Most modern browsers such as Microsoft Edge, Chrome, Firefox and Safari check for the newer Content-Security-Policy HTTP header instead of X-Frame-Options. Within the MashZone NextGen web.xml file is a second HTTP filter class that sends the HTTP Header Content-Security-Policy. This filter is configured by default to send the value frame-ancestors 'self' which is equivalent to SAMEORIGIN in that it instructs the browser to only allow iFrame if the iFrame is already in the originating website.
Note: The Content-Security-Policy is not supported by Microsoft Internet Explorer.
ContentSecurityPolicy
<filter>
<!--
Allows setting of HTTP header Content-Security-Policy
http://www.w3.org/TR/CSP2/

To prevent clickjacking attacks default is "frame-ancestors 'self'"
which disallows external iframing of MzNG content.

To allow additional websites to iframe MzNG content,
add the site Uri after 'self'.
For example:
"frame-ancestors http://*.example.com/ 'self'"

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
Content-Security-Policy/frame-ancestors
-->
<filter-name>Content Security Policy</filter-name>
<filter-class>com.jackbe.jbp.sas.security.ui.http.ContentSecurityPolicyFilter</
filter-class>
<init-param>
<param-name>policy</param-name>
<param-value>frame-ancestors 'self'</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Content Security Policy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Adding a trusted site to allow iFrame
The default settings do not allow external sites to iframe internal MashZone NextGen assets such as dashboards, apps, etc. Specifically, "X-Frame-Options: SAMEORIGIN" and "Content-Security-Policy: frame-ancestors 'self'" are set, which instructs the browser to disallow rendering MashZone NextGen content in any external iFrame. Via configuration and re-start, we can relax this restriction.
1. Open the web.xml file in a text editor. The file is located in <MashZone NextGen installation>/MashZoneNG/apache-tomcat/webapps/[presto|mashzone]/WEB-INF/.
2. Find the <filter> entry of the HTTP Header Security Filter and uncomment the antiClickJackingUris parameter.
3. Replace the sample URI ' http://some-server' with the URI of the website allowed to iframe MashZone NextGen content.
4. Find the <filter> entry for Content-Security-Policy. Insert the URI of the website allowed to iframe MashZone NextGen content into the policy parameter, between frame-ancestors and 'self'
Example:
<init-param>
<param-name>policy</param-name>
<param-value>frame-ancestors http://*.eur.ad.sag:* 'self'</param-value>
</init-param>
Adding multiple trusted sites to allow iFrame
To allow more than one website, perform the steps as shown in Adding a trusted site to allow iFrame.
1. In the HTTP Header Security filter, add a comma separated list of URIs as the antiClickJackingUris value:
<init-param>
<param-name>antiClickJackingUris</param-name>
<param-value>http://website-a.com, http://website-b.com:9999
</param-value>
</init-param>
2. In the Content-Security-Policy filter, add the URI to the policy parameter value, separated by a space:
<init-param>
<param-name>policy</param-name>
<param-value>frame-ancestors
http://website-a.com http://website-b.com 'self'
</param-value>
</init-param>
Content-Security-Policy using wildcards
The Content-Security-Policy allows wildcards to be used in the policy. For example, to allow any website on any port hosted in the "eur.ad.sag" domain, you can specify:
<init-param>
<param-name>policy</param-name>
<param-value>frame-ancestors http://*.eur.ad.sag:* 'self'
</param-value>
</init-param>

Copyright © 2013-2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release