A few weeks back we added a new config section called IFramePolicy into the alfresco-security-config.xml file. This is a config section that describes which pages that Alfresco Share should allow to be '(i)framed', in other words be included inside Alfresco Share within an iframe. It is available in Alfresco Enterprise 4.1.4 and also for Community on HEAD.
The reason we added this config is to improve mitigation of phishing attacks. To read more about phishing attacks please visit OWASP's page on the subject.
So how does this concern you? Well if you are a developer and you have code that creates iframe's you should honour the config before creating the iframe. If you are a system administrator you are probably interested in overriding the default config because it allows *any* pages to be iframed.
Let's start by taking a look at the default configuration defined in share-security-config.xml.
// TODO: Display error message saying the IFramePolicy doesn't allow this url
// TODO: Display the iframe just like you did before
First we check if the IFramePolicy is there, we do this to make sure our code will continue to work in older Alfresco Share versions that don't have an IFramePolicy. Then we check if the url that we are about to display is trusted by the IFramePolicy config. If it isn't we display a friendly error message telling the user how to proceed.
Creating a whitelist of trusted domains
As an administrator you probably want to override the default configuration to keep your Alfresco Share installation as safe as possible. This is very simple to do, simply:
Copy the following code and add it to your share-config-custom.xml file:
As you can see we have overriden/replaced the IFramePolicy's <cross-domain> element to not include the default <url>*</url> but instead multiple <url> element each specifying the urls to trust.
The url check will be done using a 'startswith' comparison (not a regexp) meaning you can, if you like, only allow certain pages on a domain to be trusted, i.e. you could add a <url> element like below:
Note! Avoid adding a url with only the protocol and domain that doesn't end with a front slash ('/'), since http://www.my-proxy-server.com.evil-server.se/phishing-attack.html obviously starts with http://www.my-proxy-server.com but not http://www.my-proxy-server.com/ .
That's it, I hope you enjoyed the blog post, if you have any questions please add a comment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.