tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-06-30 00:19:25 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2219 from chillu/pulls/clickjacking

Browse Source 
BUG Prevent clickjacking in CMS and Security controllers (fixes #2215)
This commit is contained in:
Sam Minnée 2013-07-16 14:35:53 -07:00
commit 2ca089532f
3 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
admin/code/LeftAndMain.php
View File

@ -449,6 +449,9 @@ class LeftAndMain extends Controller implements PermissionProvider {
$title = $this->Title();
if(!$response->getHeader('X-Controller')) $response->addHeader('X-Controller', $this->class);
if(!$response->getHeader('X-Title')) $response->addHeader('X-Title', urlencode($title));
// Prevent clickjacking, see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
$this->response->addHeader('X-Frame-Options', 'SAMEORIGIN');
return $response;
}

27
docs/en/topics/security.md
View File

@ -407,6 +407,8 @@ configuration and test fixtures).
You should therefore block access to all yaml files (extension .yml) by default, and white list only yaml files
you need to serve directly.
See [Apache](/installation/webserver) and [Nginx](/installation/nginx) installation documentation for details
specific to your web server
See [Apache](/installation/webserver) and [Nginx](/installation/nginx) installation documentation for details specific to your web server
## Passwords
@ -437,6 +439,31 @@ In addition, you can tighten password security with the following configuration
* `Member.lock_out_delay_mins`: Minutes of enforced lockout after incorrect password attempts.
Only applies if `lock_out_after_incorrect_logins` is greater than 0.
## Clickjacking: Prevent iframe Inclusion
"[Clickjacking](http://en.wikipedia.org/wiki/Clickjacking)" is a malicious technique
where a web user is tricked into clicking on hidden interface elements, which can
lead to the attacker gaining access to user data or taking control of the website behaviour.
You can signal to browsers that the current response isn't allowed to be
included in HTML "frame" or "iframe" elements, and thereby prevent the most common
attack vector. This is done through a HTTP header, which is usually added in your
controller's `init()` method:
:::php
class MyController extends Controller {
public function init() {
parent::init();
$this->response->addHeader('X-Frame-Options', 'SAMEORIGIN');
}
}
This is a recommended option to secure any controller which displays
or submits sensitive user input, and is enabled by default in all CMS controllers,
as well as the login form.
## Related
* [http://silverstripe.org/security-releases/](http://silverstripe.org/security-releases/)

7
security/Security.php
View File

@ -270,6 +270,13 @@ class Security extends Controller {
return;
}
public function init() {
parent::init();
// Prevent clickjacking, see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
$this->response->addHeader('X-Frame-Options', 'SAMEORIGIN');
}
/**
* Get the login form to process according to the submitted data