I need to prevent clickjacking attacks in jetty, i tried the following code in web.xml but it doesn't work.
in web.xml
<filter>
<filter-name>HeaderFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.HeaderFilter</filter-class>
<init-param>
<param-name>headerConfig</param-name>
<param-value>X-Frame-Options: SAMEORIGIN
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
What does the <filter-mapping> for that <filter> look like in your web.xml ?
I would expect something like ...
<filter-mapping>
<filter-name>HeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The partial configuration in your question will result in matching responses that go through your webapp to have the following response headers.
X-Frame-Options: DENY
Cache-Control: <prior-cache-control-headers>, no-cache, no-store, must-revalidate
Expires: <now + 31540000000ms in the future>
Date: <now>
Not sure how that applies to your question about click-jacking though.
Are you sure you want X-Frame-Options: DENY and not something more sane like X-Frame-Options: sameorigin ?
What about the response header Content-Security-Policy?
See if you need that header, with something like Content-Security-Policy: frame-ancestors 'self'; perhaps?
What about having a strict SameSite setting for your Cookies?
Related
When I am trying to integrate my react js application with the gateway I am facing CORS issue as below
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://IP:port/userme. (Reason: header ‘access-control-allow-credentials’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
everything is working from curb & postman request but not from browser.
Curb request (successful request)
HTTP/1.1 200
X-Frame-Options: DENY
Access-Control-Expose-Headers:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: HEAD, DELETE, POST, GET, PATCH, PUT
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=37C2604B133C7B9D1345A9E13A878A36; Path=/; HttpOnly
Expires: 0
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Authorization
Content-Type: application/json;charset=UTF-8
Date: Tue, 17 Mar 2020 16:26:14 GMT
Transfer-Encoding: chunked
Try
1) enabling access-control-allow-credentials and
2) adding access-control-allow-credentials to the Access-Control-Allow-Headers list in the configuration.
CORS is enabled by default for all APIs but you need to send following values in header earlier i was sending Access-Control-Allow-Headers and other values too which was causing issue....
'Accept': 'application/json',
'content-Type':'application/json',
'Access-Control-Allow-Origin': '*',
'Authorization' : 'Bearer '+token,
Google Sign-In via OpenID Connect
For a web app I use Google Sign-In via OpenID Connect. It worked well for users all over Europe without any problems.
Since July login from Spanish IPs is no longer possible because it ends with a CORS error.
The reason for the CORS problem is that after a request with "Origin" in the request header, the response header did not contain the 'access-control-allow-origin'.
The problem request is against the jwks-uri ("https://www.googleapis.com/oauth2/v3/certs") from the Google Discovery Document.
The missing 'access-control-allow-origin' in response header occurs only from requests from Spanish IPs. Europe-wide the response header contains the 'access-control-allow-origin'* .
The missing 'Access-Control-Allow-Origin' in the Response Header can be viewed with curl:
curl -v -H "Origin: https://bla.appspot.com" https://www.googleapis.com/oauth2/v3/certs
Correct response outside Spain:
...
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< access-control-allow-origin: https://bla.appspot.com
< access-control-expose-headers: date,content-encoding,server,content-length
< alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
< accept-ranges: none
...
Incorrect response from Spanish IPs:
...
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< cache-control: public, max-age=24874, must-revalidate, no-transform
< age: 9060
< alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
< accept-ranges: none
...
Why does this only happen with Spanish IPs and how do I get a required "access-control-allow-origin" in a response header?
I opened a case at Google Support that confirmed the fix today.
"...
The App Engine specialist confirmed that the issue was on our end and it was fixed. Can you check and confirm that from your end?
..."
In case of request of Spanish and French IPs against the
jwks-uri ("https://www.googleapis.com/oauth2/v3/certs")
an access-control-allow-origin will be delivered in the Response Header again.
The following request was blocked by AWS web app firewall cross site scripting rule. But what is suspicious? All seem normal to me!
POST /package.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000)
VsDebuggerCausalityData: uIDPo313Tw/LhjNJn3K1llXBHoEAAAAA9KbUetLg5kixdCJ3yXly/+zfyrFP4XJPrTb7S6ewbdQACQAA
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://www.ingeneus.com.au/GetAccountStatus"
Host: www.eyecloud.net.au
Content-Length: 618
Expect: 100-continue
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<GetAccountStatus xmlns="http://www.ingeneus.com.au/">
<sBusinessDomainId>1</sBusinessDomainId>
<strRddSerialNum>EC1600027</strRddSerialNum>
<strPassword>2bb4f34fdff49f1f56b6e708ab49ff22</strPassword>
<bRegisteredInCloud>false</bRegisteredInCloud>
<bAssignedToClinic>false</bAssignedToClinic>
<bAccountActive xsi:nil="true" />
<cPaymentStatus xsi:nil="true" />
</GetAccountStatus>
</soap:Body>
</soap:Envelope>
The header SOAPAction: "http://www.ingeneus.com.au/GetAccountStatus" is triggering the rule.
Change your code so that this header is removed or changed to SOAPAction: "".
I'm trying to build a Ember app with PHP REST framework as my api locally. The Ember app is being served at http://localhost:4200 and the api is being served from just http://localhost. This is causing a CORS issue. I've tried everything that I can think of, but I keep getting an error back saying the request was blocked and that the preflight channel did not succeed. It doesn't succeed in Firefox or Chrome.
I've added the following to the .htaccess file for my api:
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Origin "http://localhost:4200"
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Headers "accept, content-type"
Here's my request headers:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://localhost:4200
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
And the response headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, content-type
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Origin: http://localhost:4200
Connection: close
Content-Type: text/html; charset=utf-8
Date: Fri, 24 Jul 2015 17:10:49 GMT
Server: Apache/2.4.9 (Win64) PHP/5.5.12
Set-Cookie: 24fd751c8630b64fcf935a94e8bcef46=qih6pfnqo94d4cgi5b5d79h4i6; path=/
Transfer-Encoding: chunked
X-Powered-By: PHP/5.5.12
p3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Any ideas or solutions? Any help is appreciated. Thanks!
Is you your preflight OPTIONS request returning 200? You can try and return a 200 response with your .htaccess like this:
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header always set Access-Control-Allow-Origin "http://localhost:4200"
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Headers "accept, content-type"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
One possible issue may be that the browser isn't caching the server response to the browser's OPTIONS request. To fix this, try including an "Access-Control-Max-Age" header in your response and setting it to something like '86400' (1 day). Another issue, according to MDN's documentation on CORS, may be that since you are specifying a specific origin and not just using a wildcard response for the origin, you need to include a "vary" header in your response to specify that responses from the server will depend on the origin of the request. This can be done in the response like so:
Vary: Origin
If you get a CORS error with your main request following a successful OPTIONS request, I believe you also need to include the "Access-Control-Allow-Origin" header and "Vary" header in that response as well.
Hope this helps!
As this answer states, proper handling of the pre-flight OPTIONS request is necessary, but NOT SUFFICIENT for cross-site resource requests to work. All responses to any subsequent requests after prefligh must include Access-Control-Allow-Headers. Hope this helps.
In the server side servlet, add the headers and return 200 status. Example from RESTFul WCF service, where following code was added in Global.asax file
protected void Application_AuthenticateRequest(object sender, EventArgs e){
Response.AddHeader("Access-Control-Allow-Origin", "*");
if (Context.Request.HttpMethod.Equals("OPTIONS")) {
Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
Response.AddHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
Response.StatusCode = (int)System.Net.HttpStatusCode.OK;
Context.ApplicationInstance.CompleteRequest();
}
}
I'm trying to force the WSO2 to set the http version to 1.0 because the client of a service requires the Content-Length property. I configured the following properties in the outSequence, before the <send/>:
<property name="FORCE_HTTP_1.0" value="true" scope="axis2"/>
<property name="DISABLE_CHUNKING" value="true" scope="axis2"/>
but it doesn't works! The response header:
HTTP/1.0 200 OK
userAgent: Synapse-PT-HttpComponents-NIO
Host: localhost:8280
SOAPAction: "sendMessage"
Accept-Encoding: gzip,deflate
Content-Type: text/xml; charset=UTF-8
Server: WSO2-PassThrough-HTTP
Date: Thu, 13 Mar 2014 21:55:25 GMT
Connection: Close
I'm using ESB 4.6.0 and SoapUI to call the service.
Why the Content-Length doesn't appears? What's wrong?
This is a bug in ESB and we fixed it recently.
https://wso2.org/jira/browse/ESBJAVA-2985
The properties you mentioned are not working in outSequence path.
The fix should be available in next release.
The patch for Synapse transport is also attached in ESBJAVA-2985 and you may patch the Synapse version in your WSO2 ESB.