Bug 5231 - Enable embedding/integrating Web Access in other web pages
Summary: Enable embedding/integrating Web Access in other web pages
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: 4.2.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Peter Åstrand
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-22 14:49 CEST by Karl Mikaelsson
Modified: 2024-07-25 16:15 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio 2014-08-22 14:49:20 CEST 

    


    


      



        
          Comment 6
        

        
          Samuel Mannehed

        

        
            cendio
        

        
          2024-07-16 10:43:21 CEST
        

      






When working on this, we need to control the circumstances where embedding is possible. Allowing embedding across the board without limitations could have security implications.

Security scanner tools like Nessus complains about the current headers sent by Web Access, saying that there is a potential vulnerability to “Clickjacking”:

https://www.tenable.com/plugins/nessus/85582

In short, headers “X-Frame-Options” or “Content-Security-Policy” could possibly give us the control we need:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

    



  






  


    

      

        

          
            

              Note
              You need to
              log in
              before you can comment on or make changes to this bug.