On Friday, March 27, 2015 at 7:12:02 PM UTC-4, Scott Hunter wrote: > > 1. Does web2py employ, allow or support any anti-framing measures, to > prevent "an attack that can trick the user into clicking on the link by > framing the original page and showing a layer on top of it with dummy > buttons". If so, any pointers to either documentation describing how these > are present, or how one would enable them, would be appreciated. > Supposedly not employing such measures can allow clickjacking and/or CSRF. >
I don't think web2py does anything by default, but you can add protection yourself by setting the X-Frame-Options and/or Content-Security-Policy headers in a model file: response.headers['X-Frame-Options'] = "SAMEORIGIN" response.headers['Content-Security-Policy'] = "frame-ancestors 'self'" Perhaps web2py should set the Content-Security-Policy header by default, maybe with an optional configurable whitelist of allowed ancestors. Note, you can also configure your server (e.g., nginx, Apache) to automatically set the above headers. You can also implement a Javascript defense, such as this one <https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script> . > > 2. Does, or can, web2py "prevent the browser from prompting the user to > save populated values for later reuse"? > It doesn't by default (as that is a user preference configurable in the browser), but nothing stops you from using the various available solutions, such as setting the "autocomplete" attribute of form and input elements to "off" (which can be done on the server or via Javascript) or using Javascript to reset the form after rendering. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
