On Saturday, March 28, 2015 at 12:26:24 PM UTC-4, Massimo Di Pierro wrote: > > perhaps we should but being able to frame pages is something that people > always want as a feature. >
The two header examples below allow framing if the ancestor page is from the same domain as the framed page. I wouldn't necessarily set the X-Frame-Options header by default in the framework, as that header is non-standard and being deprecated in favor of Content-Security-Policy, which itself is more flexible and allows specification of a whitelist of allowed ancestors. I was suggesting maybe setting Content-Security-Policy, with framing from the same domain allowed by default, and with an easy to set setting to specify a whitelist (e.g., response.allowed_frame_ancestors). I'm not sold on the idea -- just something to consider. Another option might be to include a commented line in the scaffolding app that would make it easier/more obvious for developers to provide this protection. Anthony > > On Saturday, 28 March 2015 09:52:58 UTC-5, Anthony wrote: >> >> On Friday, March 27, 2015 at 7:12:02 PM UTC-4, Scott Hunter wrote: >>> >>> 1. Does web2py employ, allow or support any anti-framing measures, to >>> prevent "an attack that can trick the user into clicking on the link by >>> framing the original page and showing a layer on top of it with dummy >>> buttons". If so, any pointers to either documentation describing how these >>> are present, or how one would enable them, would be appreciated. >>> Supposedly not employing such measures can allow clickjacking and/or CSRF. >>> >> >> I don't think web2py does anything by default, but you can add protection >> yourself by setting the X-Frame-Options and/or Content-Security-Policy >> headers in a model file: >> >> response.headers['X-Frame-Options'] = "SAMEORIGIN" >> response.headers['Content-Security-Policy'] = "frame-ancestors 'self'" >> >> Perhaps web2py should set the Content-Security-Policy header by default, >> maybe with an optional configurable whitelist of allowed ancestors. >> >> Note, you can also configure your server (e.g., nginx, Apache) to >> automatically set the above headers. >> >> You can also implement a Javascript defense, such as this one >> <https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script> >> . >> >> >>> >>> 2. Does, or can, web2py "prevent the browser from prompting the user to >>> save populated values for later reuse"? >>> >> >> It doesn't by default (as that is a user preference configurable in the >> browser), but nothing stops you from using the various available solutions, >> such as setting the "autocomplete" attribute of form and input elements to >> "off" (which can be done on the server or via Javascript) or using >> Javascript to reset the form after rendering. >> >> Anthony >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
