1371292 – [RFE] OpenShift Router should allow x-frame-options to be set (or configured).

Bug 1371292 - [RFE] OpenShift Router should allow x-frame-options to be set (or configured).

Summary: [RFE] OpenShift Router should allow x-frame-options to be set (or configured).

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RFE
Sub Component:
Version:	3.2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Ben Bennett
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-29 20:12 UTC by Eric Rich
Modified:	2019-12-16 06:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-09 15:44:25 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Eric Rich 2016-08-29 20:12:03 UTC

> Proposed title of this feature request  

Router settings for x-frame-options
  
> What is the nature and description of the request?

To prevent "click jacking attacks" the router should be able to DENY, allow rendering from SAMEORIGIN, or allow rendering from defined origins: ALLOW-FROM. 
  
> Why does the customer need this? (List the business requirements here)  

Customer needs this so that "security compliance checks" can be run on the platform, and pass security inspections. Customer needs the ability to "globally" set the x-frame-options for all application in the environment, and customize it per application if (necessary). 
  
> How would the customer like to achieve this? (List the functional requirements here)  

Customer would like to use router (ENV) settings or (annotations) to provide the needed configurations on the router or routes. 
  
> For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

You should be able to test that "generic routes" (create with out annotations) get the correct x-frame-options. 
You should be able to test that "annotated" routes override this configuration. 
  
> Is there already an existing RFE upstream or in Red Hat Bugzilla?  
  
No
  
> List any affected packages or components.  

HAProxy

Comment 2 Eric Rich 2016-08-29 20:14:50 UTC

HAProxy should be able to set X-Frame-Options with a configuration like the following: 

> http-response set-header X-Frame-Options DENY

With that said, configuration that look for the existence of ENV variables, for global settings, and/or annotations (for specific routes), can allow you to customize the "value" portion of the header to match that of the RFC.

Comment 3 Ben Bennett 2016-09-09 15:44:25 UTC

With a custom router template [1] and route annotations [2] you could do this in 3.3

Otherwise, this will not be added as a core feature before we move to the ingress object, and even then it won't happen within a year.

[1] https://docs.openshift.com/enterprise/3.2/install_config/install/deploy_router.html#using-configmap-replace-template

[2] If you look in the 3.3 router template you will see where it uses annotations to set options.  You can follow that pattern to set the http-response header as you wish

Comment 4 Ben Bennett 2016-09-09 16:06:08 UTC

Since we don't support custom router templates, we fall to the second case.  So we aren't going to implement this on router, but may may add something like it for the upstream kubernetes ingress object.  But that likely won't happen until at least late next year.

Note You need to log in before you can comment on or make changes to this bug.