Conversation
| <app-root></app-root> | ||
| <noscript>Please enable JavaScript to continue using this application.</noscript> | ||
|
|
||
| <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=STF_DOCKER_CONFIG_GOOGLE_ANALYTICS" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> |
There was a problem hiding this comment.
Auto-generated PR comment (Polaris)
Polaris SAST Issue - Clickjacking
Medium CWE-829
The sandbox attribute of an iframe is not set in HTML. This iframe loads content from a third-party site. If the JavaScript in that iframe is malicious or was compromised, an attacker can break out of the iframe, access the DOM of the main page, and mount a clickjacking or a phishing attack.
How to fix
The recommended remediation depends on the required use case, which generally falls within one of three scenarios. These scenarios are described in more detail below.
Scenario 1 - The web page never needs to be framed within another page. In this scenario, the application should set the following HTTP response headers to prevent the page from being framed:
X-Frame-Options: deny
Content-Security-Policy: frame-ancestors 'none';
Scenario 2 - The web page only needs to be framed within other pages of the same origin. In this scenario, the application should set the following HTTP response headers to limit framing within the same domain:
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self';
Scenario 3 - The web page needs to be framed within other pages from one or more trusted origins. In this scenario, the application should set the following HTTP response headers to allow framing within a trusted origin:
X-Frame-Options: allow-from https://www.example.com
Content-Security-Policy: frame-ancestors https://www.example.com;
Important note: The 'allow-from' directive can only contain one origin, which means it has to be dynamically updated based on strict allow-list validation if you need to allow framing from more than one trusted origin. Also, note that allow-from is not supported by all browsers, e.g., it is only supported by IE, Edge, and some older versions of Firefox. However, CSP with frame-ancestors is not supported by Internet Explorer 11 and older versions. Therefore, both headers above are required for legacy coverage. If your application doesn't support IE 11, then you only need to use the Content-Security-Policy.
Frame-busting JavaScript code was often used in older applications to try to prevent clickjacking. However, most implementations can be bypassed by various means, and it is therefore not recommended as remediation. However, if a legacy application can't implement the X-Frame-Options or Content-Security-Policy headers, we would recommend a script that uses CSS to show the web page only if the top object is equal to self (i.e., the page is not being loaded into a frame). For more information and an example of such a script, see the following link:
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
0abfc0c to
8a0136f
Compare
* [sc-13911] Re-sync all in sync service * Prevent button text from overflowing * Fix test
* [sc-13906] Implement SharePoint site search and listing * Fix texts * Fix rxjs
…original state with the came_from
No description provided.