Bug 1371292

Summary: [RFE] OpenShift Router should allow x-frame-options to be set (or configured).
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: RFEAssignee: Ben Bennett <bbennett>
Status: CLOSED DEFERRED QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: medium    
Version: 3.2.1CC: aos-bugs, charles_sheridan, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-09 15:44:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eric Rich 2016-08-29 20:12:03 UTC 
> Proposed title of this feature request  

Router settings for x-frame-options
  
> What is the nature and description of the request?

To prevent "click jacking attacks" the router should be able to DENY, allow rendering from SAMEORIGIN, or allow rendering from defined origins: ALLOW-FROM. 
  
> Why does the customer need this? (List the business requirements here)  

Customer needs this so that "security compliance checks" can be run on the platform, and pass security inspections. Customer needs the ability to "globally" set the x-frame-options for all application in the environment, and customize it per application if (necessary). 
  
> How would the customer like to achieve this? (List the functional requirements here)  

Customer would like to use router (ENV) settings or (annotations) to provide the needed configurations on the router or routes. 
  
> For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

You should be able to test that "generic routes" (create with out annotations) get the correct x-frame-options. 
You should be able to test that "annotated" routes override this configuration. 
  
> Is there already an existing RFE upstream or in Red Hat Bugzilla?  
  
No
  
> List any affected packages or components.  

HAProxy
Comment 2 Eric Rich 2016-08-29 20:14:50 UTC 
HAProxy should be able to set X-Frame-Options with a configuration like the following: 

> http-response set-header X-Frame-Options DENY

With that said, configuration that look for the existence of ENV variables, for global settings, and/or annotations (for specific routes), can allow you to customize the "value" portion of the header to match that of the RFC.
Comment 3 Ben Bennett 2016-09-09 15:44:25 UTC 
With a custom router template [1] and route annotations [2] you could do this in 3.3

Otherwise, this will not be added as a core feature before we move to the ingress object, and even then it won't happen within a year.

[1] https://docs.openshift.com/enterprise/3.2/install_config/install/deploy_router.html#using-configmap-replace-template

[2] If you look in the 3.3 router template you will see where it uses annotations to set options.  You can follow that pattern to set the http-response header as you wish
Comment 4 Ben Bennett 2016-09-09 16:06:08 UTC 
Since we don't support custom router templates, we fall to the second case.  So we aren't going to implement this on router, but may may add something like it for the upstream kubernetes ingress object.  But that likely won't happen until at least late next year.