Web2py security questions

[Scott Hunter]

1. Does web2py employ, allow or support any anti-framing measures, to prevent "an attack that can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons".  If so, any pointers to either documentation describing how these are present, or how one would enable them, would be appreciated.  Supposedly not employing such measures can allow clickjacking and/or CSRF.

2. Does, or can, web2py "prevent the browser from prompting the user to save populated values for later reuse"?

- Scott

[黄祥]

i think you can check it on the book about web2py security

ref :

http://web2py.com/books/default/chapter/29/01/introduction#Security

best regards,

stifan

[Scott Hunter]

I did; it says nothing about the specific things I asked about (or if it does, I cannot tell); that is why I asked.

If that section of the book *does* address my questions, could someone point me to where in that section it does so?  For example, there is a reference to preventing CSRF, but not about anti-framing.

- Scott

P.S. Thanks for not LOL-ing me and saying this is an inappropriate forum for such a question, like my first reply (which has been deleted) -- progress!

[Anthony]

On Friday, March 27, 2015 at 7:12:02 PM UTC-4, Scott Hunter wrote:

1. Does web2py employ, allow or support any anti-framing measures, to prevent "an attack that can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons".  If so, any pointers to either documentation describing how these are present, or how one would enable them, would be appreciated.  Supposedly not employing such measures can allow clickjacking and/or CSRF.

I don't think web2py does anything by default, but you can add protection yourself by setting the X-Frame-Options and/or Content-Security-Policy headers in a model file:

response.headers['X-Frame-Options'] = "SAMEORIGIN"
response.headers['Content-Security-Policy'] = "frame-ancestors 'self'"

Perhaps web2py should set the Content-Security-Policy header by default, maybe with an optional configurable whitelist of allowed ancestors.

Note, you can also configure your server (e.g., nginx, Apache) to automatically set the above headers.

You can also implement a Javascript defense, such as this one.
 

2. Does, or can, web2py "prevent the browser from prompting the user to save populated values for later reuse"?

It doesn't by default (as that is a user preference configurable in the browser), but nothing stops you from using the various available solutions, such as setting the "autocomplete" attribute of form and input elements to "off" (which can be done on the server or via Javascript) or using Javascript to reset the form after rendering.

Anthony

[Gray Kanarek]

This might help with the second question: http://stackoverflow.com/questions/32369/disable-browser-save-password-functionality

This (and included links) might help with the first.

On Friday, March 27, 2015 at 7:12:02 PM UTC-4, Scott Hunter wrote:

[Massimo Di Pierro]

perhaps we should but being able to frame pages is something that people always want as a feature.

[Anthony]

On Saturday, March 28, 2015 at 12:26:24 PM UTC-4, Massimo Di Pierro wrote:

perhaps we should but being able to frame pages is something that people always want as a feature.

The two header examples below allow framing if the ancestor page is from the same domain as the framed page. I wouldn't necessarily set the X-Frame-Options header by default in the framework, as that header is non-standard and being deprecated in favor of Content-Security-Policy, which itself is more flexible and allows specification of a whitelist of allowed ancestors. I was suggesting maybe setting Content-Security-Policy, with framing from the same domain allowed by default, and with an easy to set setting to specify a whitelist (e.g., response.allowed_frame_ancestors). I'm not sold on the idea -- just something to consider.

Another option might be to include a commented line in the scaffolding app that would make it easier/more obvious for developers to provide this protection.

Anthony