Re: NiFI 1.4.0 UI can't be displayed in an IFrame?

2018-01-19 Thread tanezavm 
Hi Andy,

I submitted a ticket to document our need.
Here is the link - https://issues.apache.org/jira/browse/NIFI-4797

Regards,
Virgil



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/

Re: NiFI 1.4.0 UI can't be displayed in an IFrame?

2018-01-10 Thread Andy LoPresto 
Virgil,

Understood. I would encourage you to open a ticket documenting this need as 
there may be other users who also need it, and a native feature will be more 
useful than requiring people to manually change code and build the application 
with every release. Thanks.


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jan 10, 2018, at 7:20 AM, tanezavm  wrote:
> 
> Hi Andy,
> 
> Thanks for the very helpful explanation. I believe I would go to option 5 to
> change the value provided to the response header. We have some kind of
> enterprise portal and have a legitimate need to display a NiFi UI within a
> frame.
> 
> Regards,
> Virgil
> 
> 
> 
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: NiFI 1.4.0 UI can't be displayed in an IFrame?

2018-01-10 Thread tanezavm 
Hi Andy,

Thanks for the very helpful explanation. I believe I would go to option 5 to
change the value provided to the response header. We have some kind of
enterprise portal and have a legitimate need to display a NiFi UI within a
frame. 

Regards,
Virgil



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/

Re: NiFI 1.4.0 UI can't be displayed in an IFrame?

2017-12-13 Thread Andy LoPresto 
Virgil,

This was intentionally introduced via NIFI-3907 [1] in Apache NiFi 1.3.0 as a 
mitigation for CVE-2017-7667 [2]. Prior to this change, a malicious site could 
have displayed the NiFi UI and introduced invisible overlays such that an 
unsuspecting user would perform actions like entering sensitive credentials 
into a malicious form field. See here [3] and here [4] for further information 
on Cross Frame Scripting / Clickjacking, as the attack is called.

If you have some kind of enterprise portal and have a legitimate need to 
display a NiFi UI within a frame that is not hosted on the same origin, you can 
resort to modifying the value provided to the response header in the filter 
here [5]. If you need this as an included feature in NiFi (for example, a 
configurable URI in nifi.properties), I suggest raising a Jira ticket, but I 
have to caution that it would be a low priority, as this actively weakens the 
security of the system and is not a common use case.

[1] https://issues.apache.org/jira/browse/NIFI-3907
[2] https://nifi.apache.org/security.html#CVE-2017-7667
[3] https://www.owasp.org/index.php/Cross_Frame_Scripting 

[4] http://msdn.microsoft.com/en-us/library/ms533028%28VS.85%29.aspx 

[5] 
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java#L1000
 



Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Dec 12, 2017, at 10:15 AM, tanezavm  wrote:
> 
> Hi,
> 
> I tried to display NiFi 1.4.0 UI in an IFrame but it failed to load with
> error below:
> 
> Refused to display 'https://172.16.0.33:8443/nifi/' in a frame because it
> set 'X-Frame-Options' to 'sameorigin'.
> 
> Note: This setup works using NiFi 1.1.2.
> 
> Kindly advise.
> 
> 
> Thanks,
> Virgil
> 
> 
> 
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/



signature.asc
Description: Message signed with OpenPGP using GPGMail

NiFI 1.4.0 UI can't be displayed in an IFrame?

2017-12-12 Thread tanezavm 
Hi,

I tried to display NiFi 1.4.0 UI in an IFrame but it failed to load with
error below:

Refused to display 'https://172.16.0.33:8443/nifi/' in a frame because it
set 'X-Frame-Options' to 'sameorigin'.

Note: This setup works using NiFi 1.1.2.

Kindly advise. 


Thanks,
Virgil



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/