Security Risk: Web Page can be Framed

[iph-97]

Description from Glenn:

Qualys reported a medium level security risk w/ doorway prod. This is the info: The problem: The web page can be framed. This means that clickjacking attacks against users are possible. Note: Only 10 pages are reported for this QID similar to 150245 Missing header: X-Frame-Options Impact Description With clickjacking, an attacker can trick a victim user into clicking an invisible frame on the web page, thereby causing the victim to take an action they did not intend to take. Solution Description Clickjacking prevention mechanisms include:

• X-Frame-Options: This HTTP response header can be used to prevent framing of web pages.
• Content-Security-Policy: The 'frame-ancestors' directive can be used to prevent framing of web pages.
• Framekiller JavaScript code designed to prevent a malicious user from framing the page. This method is not recommended due to its unreliability. See the OWASP Clickjacking Defense Cheat Sheet for more information. To avoid a common X-Frame-Options implementation mistake, see https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-put-your-websites-in-danger.

Exygy next steps:

• Explore one of the options above to prevent framing on doorway
• Implement the fix

QA Notes: This will be handled by Eng (specifically @ColinBuyck) testing directly on localhost is proving to be difficult so this QA is a central part of the work for this issue.

[sarahlazarich]

• Look into tool for verifying that this works to avoid having to test with Glenn
• Investigate and implement in doorway, pull fix back in to core
• small chance this is only happening in DW
• This will mean GB can verify our fix before it goes in to core

[sarahlazarich]

going to ask Glenn if this is still relevant - partially fixed! Might be ok to close out.