erikwinlof

Introducing the IFramePolicy in Alfresco Share

Blog Post created by erikwinlof on Mar 12, 2013
A few weeks back we added a new config section called IFramePolicy into the alfresco-security-config.xml file. This is a config section that describes which pages that Alfresco Share should allow to be '(i)framed', in other words be included inside Alfresco Share within an iframe. It is available in Alfresco Enterprise 4.1.4 and also for Community on HEAD.



The reason we added this config is to improve mitigation of phishing attacks. To read more about phishing attacks please visit OWASP's page on the subject.

https://www.owasp.org/index.php/Phishing



So how does this concern you? Well if you are a developer and you have code that creates iframe's you should honour the config before creating the iframe. If you are a system administrator you are probably interested in overriding the default config because it allows *any* pages to be iframed.



Let's start by taking a look at the default configuration defined in share-security-config.xml.

<config evaluator='string-compare' condition='IFramePolicy'>

  <!--

    Local Share pages/resources are governed by the same-domain element which

    can be set to 'allow' or 'deny'

  -->

  <same-domain>allow</same-domain>

  <!--

    Add a list of <url> elements inside this element to form a whitelist of

    allowed domains. The check will assert that the url used for the <iframe>

    starts with the value of one of the <url> elements.

  -->

  <cross-domain>

    <!--

      Allow all domains by default, it is recommended to override this

      setting and instead keep a whitelist of the domains that you trust to be

      included on Share pages.

    -->

    <url>*</url>

  </cross-domain>

</config>


Honouring the IFramePolicy in your code



Every developer creating custom code for Alfresco Share should honour the IFramePolicy config. It is very simple and all you need to do is to add the following code snipped to your code:

if (Alfresco.util.IFramePolicy && 

    !Alfresco.util.IFramePolicy.isUrlAllowed(iFrameSrcUrl))

{

   // TODO: Display error message saying the IFramePolicy doesn't allow this url

}

else

{

  // TODO: Display the iframe just like you did before

}


First we check if the IFramePolicy is there, we do this to make sure our code will continue to work in older Alfresco Share versions that don't have an IFramePolicy. Then we check if the url that we are about to display is trusted by the IFramePolicy config. If it isn't we display a friendly error message telling the user how to proceed.

Creating a whitelist of trusted domains



As an administrator you probably want to override the default configuration to keep your Alfresco Share installation as safe as possible. This is very simple to do, simply:



Copy the following code and add it to your share-config-custom.xml file:

<config evaluator='string-compare' condition='IFramePolicy' replace='true'>

  <cross-domain>

    <url>http://www.trusted-domain-1.com/</url>

    <url>http://www.trusted-domain-2.com/</url>

  </cross-domain>

</config>


As you can see we have overriden/replaced the IFramePolicy's <cross-domain> element to not include the default <url>*</url> but instead multiple <url> element each specifying the urls to trust.



The url check will be done using a 'startswith' comparison (not a regexp) meaning you can, if you like, only allow certain pages on a domain to be trusted, i.e. you could add a <url> element like below:

<url>http://www.partly-trusted-domain.com/but/only/urls/from/here</url>


Note! Avoid adding a url with only the protocol and domain that doesn't end with a front slash ('/'), since http://www.my-proxy-server.com.evil-server.se/phishing-attack.html obviously starts with http://www.my-proxy-server.com but not http://www.my-proxy-server.com/ .



That's it, I hope you enjoyed the blog post, if you have any questions please add a comment.

Outcomes