Headline
CVE-2021-3660: common: Restrict frame embedding to same origin · cockpit-project/cockpit@8d9bc10
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Permalink
Browse files
common: Restrict frame embedding to same origin
Declare `X-Frame-Options: sameorigin` [1] so that cockpit frames can only be embedded into pages coming from the same origin. This is similar to setting CORP in commit 2b38b8d (which applies to `<script>`, `<img>`, etc.).
The main use case for embedding is to run cockpit-ws behind a reverse proxy, while also serving other pages. Cross-origin embedding is discouraged these days to prevent "clickjacking".
Cross-origin embedding already did not work in most cases: Frames would always just show the login page. However, this looks confusing and is unclean. With X-Frame-Options, the browser instead shows an explanatory error page.
Mention the same origin requirement in the embedding documentation.
Fixes #16122 https://bugzilla.redhat.com/show_bug.cgi?id=1980688 CVE-2021-3660
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- Loading branch information
Showing with 22 additions and 17 deletions.
- +3 −1 doc/guide/embedding.xml
- +2 −0 pkg/base1/test-http.js
- +1 −1 src/bridge/test-httpstream.c
- +1 −1 src/bridge/test-packages.c
- +6 −0 src/common/cockpitwebresponse.c
- +1 −1 src/common/test-webresponse.c
- +1 −1 src/ws/test-channelresponse.c
- +3 −1 test/verify/check-connection
- +4 −11 test/verify/check-embed