Prevent cross site scripting and click jacking

[dlaidlaw]

Cross site scripting and click jacking are major concerns. Many issues can be resolved by setting some headers in the HTTP responses for the user interface and rest responses for both the master and slave processes.

X-Frame-Options: Can be set to deny, sameorigin, or allow-from X-XSS-Protection: 1; mode=block

These would go a long way to making sites using marathon more secure. Note that the user exploiting attacks does not need to have access to the marathon hosts, they are attacked through a user's web browser. So if the user can connect to both marathon and the internet, it is an issue.

[Poltergeist]

Hi @dlaidlaw thanks for bringing this up. You are mentioning Mesos, but not Marathon. But still do you think that those headers should be set on marathon? And do you think it is a critical issue? I am currently trying to think of a good blackbox example.

So as a attacker I will have to know the address of the marathon server, then I could send a xhr get to the apps endpoint, and delete all applications with a for loop.

[dlaidlaw]

Hi @Poltergeist, yes it is definitely a problem in Marathon as well. Sorry about the mesos in the original request, that was a copy/paste error. I also made the same request of the mesos folks. The main issue for me is Clickjacking. Without the X-Frame-Options header it can be very easy do do some nasty things with IFrames. And the attacker does not even need access to the target application.

[Poltergeist]

I propose to add a feature to marathon which introduces those Request Headers and prevent to have your marathon run in an Iframe. But I will suggest that this is a opt in feature which you have to enable with an argument, since one may want to run Marathon in an Iframe.

[dlaidlaw]

Yes, I agree with that. The X-Frame-Options setting can take multiple values:

• DENY - to deny any attempt to be put into an Iframe
• SAMEORIGIN - only in a frame in a page from the same origin
• ALLOW-FROM uri - to allow from a specific uri.

Or nothing, to not specify the X-Frame-Options header is a good default to match the current behavior of Marathon.

[meichstedt]

Note: This issue has been migrated to https://jira.mesosphere.com/browse/MARATHON-2546. For more information see https://groups.google.com/forum/#!topic/marathon-framework/khtvf-ifnp8.