Content

Added by Deleted user almost 7 years ago

Hello everyone,

is there anyway to allow XSS for OpenProject? We have central portal where all of our tools come together and I would love to integrate OpenProject via XSS.

Any help would be highly appreciated!

Cheers,
Martin

Replies (9)

RE: Allow XSS for a specific origin - Added by David Szego almost 7 years ago

I ran into a problem where I couldn’t embed OpenProject into a frame (I was adding it as an “External Site” in NextCloud)

Not sure if that’s what you’re looking to do, but if so, and you’re running Apache as a gateway to OpenProject, try this:

in your Apache config file, likely:
/etc/apache2/sites-available/openproject.conf

under the line “Include /etc….” or anywhere in the <VirtualHost *:443> section, add:

SetEnv proxy-nokeepalive 1
RequestHeader set “X-Forwarded-Proto” “https”
Header unset X-Frame-Options
Header merge Cache-Control no-cache
Header set Access-Control-Allow-Origin “*”

and then restart Apache.

Cheers,
David.

RE: Allow XSS for a specific origin - Added by Deleted user almost 7 years ago

Hello David,

thank you so much - it worked! I tried every configuration of the conf file I could imagine in the past, but never got it to work.

Thanks again for sharing your solution!

Cheers,
Martin

RE: Allow XSS for a specific origin - Added by Oliver Günther almost 7 years ago

Please note that for the packaged installation, the OpenProject config at /etc/apache2/sites-available/openproject.conf will be regenerated upon calling openproject configure on every update.

A better way to place these overrides is in a new file in the directory /etc/openproject/addons/apache2/includes/vhost/, which is included by openproject.conf.

Best,
Oliver

RE: Allow XSS for a specific origin - Added by Deleted user almost 7 years ago

Hello Oliver,

thank you for the heads up and suggestion!

Cheers,
Martin

RE: Allow XSS for a specific origin - Added by Deleted user about 6 years ago

Hello David, hello Oliver,

today I updated to OP 8 (magnificent, by the way!) and unfortunately XSS no longer works. I'm at a loss why that is the case. Do you guys have any idea what might have changed to cause this? I would be grateful for any advice!

Cheers,

Martin

RE: RE: Allow XSS for a specific origin - Added by Wieland Lindenthal about 6 years ago

Hi Martin,

I am not sure if I understand your setup right. However, one important change in 8.0 is the activation of a pretty restrictive Content Security Policy (CSP). We activate it to dramatically decrease the probability of XSS attacks.

So I think you should look at least at these two lines:

You probably need to overwrite the values according to your needs.

Wieland

RE: Allow XSS for a specific origin - Added by Deleted user about 6 years ago

Hi Wieland,

thank you for pointing me in the right direction! :)

Cheers,

Martin

RE: RE: Allow XSS for a specific origin - Added by Jens Ulferts about 6 years ago

When you are saying XSS no longer works, what exactly do you mean by that? What is the scenario in which you are trying to have cross domain functionality?

RE: Allow XSS for a specific origin - Added by Jens Ulferts about 6 years ago

Ah sorry, had the tab open for some hours and didn't see Wieland answering already.

Top Menu

Side Menu

Content

Replies (9)

RE: Allow XSS for a specific origin - Added by David Szego almost 7 years ago

RE: Allow XSS for a specific origin - Added by Deleted user almost 7 years ago

RE: Allow XSS for a specific origin - Added by Oliver Günther almost 7 years ago

RE: Allow XSS for a specific origin - Added by Deleted user almost 7 years ago

RE: Allow XSS for a specific origin - Added by Deleted user about 6 years ago

RE: RE: Allow XSS for a specific origin - Added by Wieland Lindenthal about 6 years ago

RE: Allow XSS for a specific origin - Added by Deleted user about 6 years ago

RE: RE: Allow XSS for a specific origin - Added by Jens Ulferts about 6 years ago

RE: Allow XSS for a specific origin - Added by Jens Ulferts about 6 years ago