Bug #54201

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Implement Clickjacking Protection

Added by Helmut Hummel over 1 year ago. Updated over 1 year ago.

Status:Resolved Start date:2013-12-04
Priority:Could have Due date:
Assigned To:- % Done:

100%

Category:- Spent time: 4.00 hours
Target version:6.2.0 Estimated time:12.00 hours
TYPO3 Version:6.2 Is Regression:No
PHP Version: Sprint Focus:
Complexity:easy

Description

  • Send X-Frame-Options headers ( X-Frame-Options: SAMEORIGIN) in the backend by default
    • Find an appropriate place where to send these headers
    • Add TYPO3_CONF_VARS configuration to disable it
  • Provide possibility to disable this protection if not needed/ wanted.
  • Coordinate with SecurityGuide writers to mention Webserver configuration for FE (no PHP implementation for frontend requests)

JS snippet to reveal body tag only when iframe included in correct parent url is not needed, as browsers supported by TYPO3 6.2 (Chrome, Safari, FF, IE >7) have support for X-Frame-Options


Related issues

related to Security Guide - Task #57144: Configuration to add HTTP Headers to backend responses Closed 2014-03-21

Associated revisions

Revision 517efee3
Added by Helmut Hummel over 1 year ago

[SECURITY] Implement Click Jacking Protection

To protect the backend from click jacking attacks
a HTTP header needs to be sent, which prevents
embedding backend pages in an iframe on domains
different than the one used to access the backend.

All recommended browsers respect this header
and prevents the backend page to be shown in an
iframe, so we do not need to implement further
JavaScript frame busting solutions.

Resolves: #54201
Documentation: #57144
Releases: 6.2
Change-Id: Ic83cae4917bb62ff8fe8b55a947ace7dba86d223
Reviewed-on: https://review.typo3.org/28601
Reviewed-by: Christian Kuhn
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

History

#1 Updated by Helmut Hummel over 1 year ago

  • Project changed from Core Security to Core

#2 Updated by Helmut Hummel over 1 year ago

  • Target version set to 6.2.0
  • Is Regression set to No

#3 Updated by Helmut Hummel over 1 year ago

  • Status changed from New to Accepted
  • Priority changed from Should have to Could have

#4 Updated by Ingo Schmitt over 1 year ago

  • Parent task set to #55066

#5 Updated by Helmut Hummel over 1 year ago

  • Estimated time set to 12.00

Helmut Hummel wrote:

X-Frame-Options headers

JS snippet to reveal body tag only when iframe included in correct parent url (find reference implementation)

#6 Updated by Helmut Hummel over 1 year ago

  • Complexity set to easy

#7 Updated by Gerrit Code Review over 1 year ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28601

#8 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28601

#9 Updated by Helmut Hummel over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF