Virgil, This was intentionally introduced via NIFI-3907 [1] in Apache NiFi 1.3.0 as a mitigation for CVE-2017-7667 [2]. Prior to this change, a malicious site could have displayed the NiFi UI and introduced invisible overlays such that an unsuspecting user would perform actions like entering sensitive credentials into a malicious form field. See here [3] and here [4] for further information on Cross Frame Scripting / Clickjacking, as the attack is called.
If you have some kind of enterprise portal and have a legitimate need to display a NiFi UI within a frame that is not hosted on the same origin, you can resort to modifying the value provided to the response header in the filter here [5]. If you need this as an included feature in NiFi (for example, a configurable URI in nifi.properties), I suggest raising a Jira ticket, but I have to caution that it would be a low priority, as this actively weakens the security of the system and is not a common use case. [1] https://issues.apache.org/jira/browse/NIFI-3907 [2] https://nifi.apache.org/security.html#CVE-2017-7667 [3] https://www.owasp.org/index.php/Cross_Frame_Scripting <https://www.owasp.org/index.php/Cross_Frame_Scripting> [4] http://msdn.microsoft.com/en-us/library/ms533028%28VS.85%29.aspx <http://msdn.microsoft.com/en-us/library/ms533028(VS.85).aspx> [5] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java#L1000 <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java#L1000> Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Dec 12, 2017, at 10:15 AM, tanezavm <vft.biz...@gmail.com> wrote: > > Hi, > > I tried to display NiFi 1.4.0 UI in an IFrame but it failed to load with > error below: > > Refused to display 'https://172.16.0.33:8443/nifi/' in a frame because it > set 'X-Frame-Options' to 'sameorigin'. > > Note: This setup works using NiFi 1.1.2. > > Kindly advise. > > > Thanks, > Virgil > > > > -- > Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
signature.asc
Description: Message signed with OpenPGP using GPGMail
