5231 – Enable embedding/integrating Web Access in other web pages

Bug 5231 - Enable embedding/integrating Web Access in other web pages

Summary: Enable embedding/integrating Web Access in other web pages

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Web Access (show other bugs)
Version:	4.2.0
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	MediumPrio
Assignee:	Peter Åstrand

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-08-22 14:49 CEST by Karl Mikaelsson
Modified:	2024-10-08 15:38 CEST (History)
CC List:	3 users (show)

See Also:	8191 8247 8400
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio

2014-08-22 14:49:20 CEST

Comment 6 Samuel Mannehed cendio

2024-07-16 10:43:21 CEST

When working on this, we need to control the circumstances where embedding is possible. Allowing embedding across the board without limitations could have security implications.

Security scanner tools like Nessus complains about the current headers sent by Web Access, saying that there is a potential vulnerability to “Clickjacking”:

https://www.tenable.com/plugins/nessus/85582

In short, headers “X-Frame-Options” or “Content-Security-Policy” could possibly give us the control we need:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Comment 8 Madeleine cendio

2024-10-08 10:33:52 CEST

In a related fix, bug 8192, the SameSite attribute for cookies was explicitly set to Lax to align with modern browser behaviour and improve cross-site request security. This change was made to ensure predictable cookie handling and will prevent embedding Web Access in an iframe.

Comment 9 Emelie cendio

2024-10-08 15:38:57 CEST

Another thing to note, the "Secure" attribute must be set when using SameSite=None

Note You need to log in before you can comment on or make changes to this bug.