Hello Saikiran,
First of all, thanks for asking for help on this.
Many other users may also be having difficulty with these issues.
But one thing to keep in mind, "suggest a fix immediately" is not
something that should be expected of a group of open source volunteers.
The first thing that I would suggest is that we take a look at Content
Security Policy in detail.
Here are a couple of links:
- https://www.w3.org/TR/CSP11/#directive-frame-ancestors
-
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive
The first thing I see is that blocking application content would the
desired intention.
But in your case the blocking seems to be overactive.
This directive is an agreement between browser and application server.
So you would need to examine both to make sure that they can handle this
directive as expected.
Here is an excerpt from one of the links:
Limitations (OfContent Security Policy frame-ancestors directive)
* *Browser support:* frame-ancestors is not supported by all the major
browsers yet.
* *X-Frame-Options takes priority:* Section 7.7.1 of the CSP Spec
<https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options>
says X-Frame-Options should be ignored if frame-ancestors is
specified, but Chrome 40 & Firefox 35 ignore the frame-ancestors
directive and follow the X-Frame-Options header instead.
So this could explain the different behavior you are seeing from the
different browsers.
Secondly, I would double check the intent of each of the directives you
are using in your Content-Security-Policy example.
Beyond this, it may be helpful if you were to provide a few more details
on how you are using Apache HTTP Server for this.
(httpd version?, which MPM? using as a reverse proxy?)
Thanks,
Mike
On 5/4/2017 1:04 PM, saikiran....@wipro.com wrote:
Hi,
We are using below header to fix the vulnerabilities.
*Header set Content-Security-Policy "default-src 'none'; script-src
'self'; connect-src 'self'; img-src 'self'; style-src 'self';"*
But after that application content is getting blocked while accessing
it through browser.
We have given a try with same header but with different value.
*Header set Content-Security-Policy "frame-ancestors"*
Application is able show the content in IE and Firefox but not in
chrome. Please suggest a fx immediately.
Best Regards
http://marketing.wiprodigital.com/apps/wipro-esig/assets/images/logo-01.jpg
<http://www.wipro.com/>
*Saikiran M*
*Middleware Administrator | SNXT Operations***– Global Service
Management Centre
*Wipro Limited*
p: 214924 | *Toll Free* 1800 200 5656
#146/147, Metagalli industrial area, Mysore 570 016 | Karnataka, INDIA
cid:image002.png@01D198BF.43C16BA0
*DO BUSINESS BETTER*
CONSULTING | SYSTEM INTEGRATION | BUSINESS PROCESS SERVICES
cid:image003.png@01D198BF.43C16BA0
<http://www.facebook.com/WiproTechnologies>
cid:image004.png@01D198BF.43C16BA0 <http://twitter.com/Wipro>
cid:image005.png@01D198BF.43C16BA0 <http://www.linkedin.com/company/1318>
cid:image006.png@01D198BF.43C16BA0
<http://www.youtube.com/user/Wiprovideos>
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of the
addressee(s) and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately and destroy all copies of this message and any
attachments. WARNING: Computer viruses can be transmitted via email.
The recipient should check this email and any attachments for the
presence of viruses. The company accepts no liability for any damage
caused by any virus transmitted by this email. www.wipro.com
