在Angular 13项目上运行CheckMarx报告时,可能会报告潜在的点击夹克问题。
即使我尝试使用index.html文件中的框架破坏脚本修复此问题,也会向App.component.html报告该问题。
有任何解决此问题的建议吗?
- 方法:将框架脚本添加到index.html
<style> html {display : none; } </style>
<script>
if ( self === top )
{ document.documentElement.style.display = 'block'; }
else
{ top.location = encodeURI(self.location); }
</script>
Result: One more high priority issue was raised: Client DOM open redirect
- 方法:将框架祖先添加到元标记中,以及index.html
{{ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;frame-ancestors 'none'; ">}}
{{}} result:esseage oferes persists
- 方法:设置x-frame forut thing x-frame foructiation auth-
http服务:
const myheader = new HttpHeaders().set('Content-Type',CONTENT_TYPE ).set('Authorization', AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE); AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE).set('X-Frame-Options', 'SAMEORIGIN');;
Inside auth-http interceptor:
intercept(req: HttpRequest<any>, next: HttpHandler) { const token = this.tokenService.getToken(); if (token != null) { req = req.clone(
{ headers: req.headers.set('Authorization', 'Bearer ' + token) }
); req = req.clone(
{ headers: req.headers.set('Authorization', 'Bearer ' + token).set('X-Frame-Options', 'sameorigin') }
); }
结果:问题持续的
- 方法:设置X帧选项在Head Meta标签内部作为单独的标签,以及CSP标签
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;"> <meta http-equiv="X-Frame-Options" content="deny">
结果:问题持续
5)方法::一个修复程序,用于根据the the the the the ot下面的stackoverflow建议:
top.location = encodeURI(self.location);
结果:问题持续
6)方法:配置nginx
以配置nginx发送X-Frame-Options标头,将其添加到您的http,服务器或位置配置:
add_header X-Frame-Options SAMEORIGIN always;
结果:esluct ofercts
- ofercist:essease ofercists方法:安装NPM软件包: X框架选项
不足以说明角度
结果:无法验证
Potential clickjacking issue is reported while running checkmarx report on angular 13 project.
The issue is reported for app.component.html even if I try fixing this issue using frame busting scripts in index.html file.
Any suggestions to fix this issue?
- Approach: Framebusting script added to index.html
<style> html {display : none; } </style>
<script>
if ( self === top )
{ document.documentElement.style.display = 'block'; }
else
{ top.location = encodeURI(self.location); }
</script>
Result: One more high priority issue was raised: Client DOM open redirect
- Approach: adding frame ancestors to meta tag along with CSP tags inside index.html
{{ <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;frame-ancestors 'none'; ">}}
{{}} Result: Issue persists
- Approach: setting x-frame options for authentication service and auth-http interceptor
Inside authentication service:
const myheader = new HttpHeaders().set('Content-Type',CONTENT_TYPE ).set('Authorization', AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE); AUTH_AUTHENTICATION).set('Content-Security-Policy',CSP_TYPE).set('X-Frame-Options', 'SAMEORIGIN');;
Inside auth-http interceptor:
intercept(req: HttpRequest<any>, next: HttpHandler) { const token = this.tokenService.getToken(); if (token != null) { req = req.clone(
{ headers: req.headers.set('Authorization', 'Bearer ' + token) }
); req = req.clone(
{ headers: req.headers.set('Authorization', 'Bearer ' + token).set('X-Frame-Options', 'sameorigin') }
); }
Result: Issue persists
- Approach: Setting X-frame options inside head meta tag as a separate tag as well as along with CSP tags
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' *.tech.orange; upgrade-insecure-requests;"> <meta http-equiv="X-Frame-Options" content="deny">
Result: Issue persists
5)Approach: : A fix to frame busting script used in earlier approach as per the below stackoverflow recommendation:
Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability
top.location = encodeURI(self.location);
Result: Issue persists
6)Approach: Configuring Nginx
To configure Nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:
add_header X-Frame-Options SAMEORIGIN always;
Result: Issue persists
- Approach: Installing npm package X-frame-options
Not enough usage explanation for angular
Result: Unable to verify
发布评论
评论(2)
是的,现在正在工作。
Yes it is working now.