On 2023/02/07 12:29, Peter J. Philipp wrote:
> On Tue, Feb 07, 2023 at 10:41:34AM +0000, Stuart Henderson wrote:
> > On 2023/02/07 10:20, Peter J. Philipp wrote:
> > > Hi,
> > >
> > > Arslan Kabeer (on the Internet) made me aware of clickjacking being done
> > > on
> > > my site using OpenBSD httpd. This following patch implements a RFC 7034
> > > protection called "noiframe" which disallows other sites (but not the same
> > > site) to add an iframe to my site.
> > >
> > > The config change is like this:
> > >
> > > ----->
> > > location "/" {
> > > directory index index.html
> > > noiframe
> >
> > Using a specific keyword for every site protection header that
> > somebody might want seems a bit much. (There are other settings for
> > x-frame-options, other headers like content-security-policy and
> > x-content-type-options, and various deprecated ones).
> >
> > Wouldn't a general-purpose "set header X with the value Y" make
> > more sense?
>
> Yes this makes more sense. Ignore my patch then, it was whipped up this
> morning when I got the vulnerability report from Arslan. I'm unable to
> look deeper and general purposely into this, though, I have other TODO's.
>
> It seems a mystery to me however how to add this header into httpd based
> off the manual page if that is the hint. Perhaps the maintainer of this
> program now has an idea what we need and can schedule programming for it.
There's no current way to do it with just httpd. Existing headers have
been handled with separate keywords, but stacking more on top in that
way doesn't seem the ideal approach when the set of possible headers
that might be needed is not limited.
