[Bug 16210] New: Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Bug ID: 16210 Summary: Bug 15111 breaks the OPAC if JavaScript is disabled Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: blocker Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: oleonard@myacpl.org QA Contact: testopia@bugs.koha-community.org Since Bug 15111, if you have JavaScript disabled the OPAC is broken. It only displays a blank page. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Christopher Brannon <cbrannon@cdalibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |16179 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16179 [Bug 16179] Clicking Rate me button in OPAC without selecting rating produces error -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #1 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- I use NoScript and Iceweasel 38.2.1 and the OPAC displays correctly. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #2 from Owen Leonard <oleonard@myacpl.org> --- I tested in Iceweasel by disabling JS via the the Web Developer Toolbar (http://chrispederick.com/work/web-developer/), but it also works to use about:config and set the javascript.enabled preference to "false." In Chromium I use an extension called "Quick Javascript Switcher." I can reproduce the problem in both. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |15111 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #3 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Same comment as bug 15111 comment 33: Well, we have a problem. After reading this https://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_B... it seems that it is not possible not to be vulnerable to XFS and render something with JS disabled... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #4 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- If I understand correctly, setting X-Frame-Options to SAMEORIGIN should be enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick could be removed if we decide not to support them anymore. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron <veron@veron.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |veron@veron.ch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Mirko Tietgen <mirko@abunchofthings.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mirko@abunchofthings.net --- Comment #5 from Mirko Tietgen <mirko@abunchofthings.net> --- (In reply to Jonathan Druart from comment #4)
If I understand correctly, setting X-Frame-Options to SAMEORIGIN should be enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
The antiClickjack trick could be removed if we decide not to support them anymore.
Supported are Firefox 3.6.9 September 2010 IE 8 March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 If that fixes the problem in general I vote for using it. One thing that needs to be checked if it works with recent mobile browsers, the website does not really say that. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #6 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 50051 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50051&action=edit Bug 16210: Revert OPAC changes from Bug 15111 This patch reverts the changes made at the OPAC from the following patches: Do not include the antiClickjack legacy browser trick for greybox" Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox" This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe. Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN" This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df. Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks" This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929. Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick should be removed at the OPAC as we want to keep the OPAC usable even if the user has disabled JS. That means the OPAC will be vulnerable to XFS if a user is navigating with a prehistoric browser: Firefox 3.6.9 September 2010 IE 8 March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 Test plan: Confirm that there are no regression of bug 15111 with modern browsers -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #7 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 50052 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50052&action=edit Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places The login page should not be displayed if the page is displayed in a frame. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|oleonard@myacpl.org |jonathan.druart@bugs.koha-c | |ommunity.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron <veron@veron.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #50051|0 |1 is obsolete| | --- Comment #8 from Marc Véron <veron@veron.ch> --- Created attachment 50147 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50147&action=edit Bug 16210: Revert OPAC changes from Bug 15111 This patch reverts the changes made at the OPAC from the following patches: Do not include the antiClickjack legacy browser trick for greybox" Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox" This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe. Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN" This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df. Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks" This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929. Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick should be removed at the OPAC as we want to keep the OPAC usable even if the user has disabled JS. That means the OPAC will be vulnerable to XFS if a user is navigating with a prehistoric browser: Firefox 3.6.9 September 2010 IE 8 March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 Test plan: Confirm that there are no regression of bug 15111 with modern browsers Signed-off-by: Marc Véron <veron@veron.ch> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron <veron@veron.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #50052|0 |1 is obsolete| | --- Comment #9 from Marc Véron <veron@veron.ch> --- Created attachment 50148 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50148&action=edit Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places The login page should not be displayed if the page is displayed in a frame. Signed-off-by: Marc Véron <veron@veron.ch> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron <veron@veron.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #10 from Owen Leonard <oleonard@myacpl.org> --- This works for me to enable use of the OPAC without JavaScript, which I think is an important goal. I think we can rationalize the vulnerability for older browsers by saying "If you're still using one of these browsers you are probably vulnerable to any number of other terrible security problems because of your old computer and/or browser and what's one more?" I will leave it to someone who knows better than I to test whether this solves the security problem it's meant to fix. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@bigballofwax.co.nz --- Comment #11 from Chris Cormack <chris@bigballofwax.co.nz> --- (In reply to Owen Leonard from comment #10)
This works for me to enable use of the OPAC without JavaScript, which I think is an important goal.
I think we can rationalize the vulnerability for older browsers by saying "If you're still using one of these browsers you are probably vulnerable to any number of other terrible security problems because of your old computer and/or browser and what's one more?"
I will leave it to someone who knows better than I to test whether this solves the security problem it's meant to fix.
Yeah, it does what it should, and yep if you are running a 6 year old browser, chances are someone already is doing all your internet banking for you. Having someone put a hold on a book you don't want, is the least of your worries at that point. I think it is better to allow those who run without JS turned on (often for very legitimate reasons) to be able to use the OPAC. Than to try to support browsers from last decade. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #50147|0 |1 is obsolete| | Attachment #50148|0 |1 is obsolete| | --- Comment #12 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 50220 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50220&action=edit [PASSED QA] Bug 16210: Revert OPAC changes from Bug 15111 This patch reverts the changes made at the OPAC from the following patches: Do not include the antiClickjack legacy browser trick for greybox" Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox" This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe. Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN" This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df. Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks" This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929. Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick should be removed at the OPAC as we want to keep the OPAC usable even if the user has disabled JS. That means the OPAC will be vulnerable to XFS if a user is navigating with a prehistoric browser: Firefox 3.6.9 September 2010 IE 8 March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 Test plan: Confirm that there are no regression of bug 15111 with modern browsers Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #13 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 50221 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50221&action=edit [PASSED QA] Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places The login page should not be displayed if the page is displayed in a frame. Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Brendan Gallagher <brendan@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |brendan@bywatersolutions.co | |m Status|Passed QA |Pushed to Master --- Comment #14 from Brendan Gallagher <brendan@bywatersolutions.com> --- Pushed to Master - Should be in the May 2016 release. Thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |julian.maurice@biblibre.com Status|Pushed to Master |Pushed to Stable --- Comment #15 from Julian Maurice <julian.maurice@biblibre.com> --- Patches pushed to 3.22.x, will be in 3.22.6 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Frédéric Demians <frederic@tamil.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |frederic@tamil.fr --- Comment #16 from Frédéric Demians <frederic@tamil.fr> --- Pushed to 3.22.x, will be in 3.20.11. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Bug 16210 depends on bug 15111, which changed state. Bug 15111 Summary: Koha is vulnerable to Cross-Frame Scripting (XFS) attacks https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15111 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Stable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org