Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • Upgrade to Enterprise edition
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

General discussion
  1. OpenProject
  2. Forums
  3. General discussion
  4. Allow XSS for a specific origin

Allow XSS for a specific origin

Added by Deleted user over 7 years ago

Hello everyone,

is there anyway to allow XSS for OpenProject? We have central portal where all of our tools come together and I would love to integrate OpenProject via XSS.

Any help would be highly appreciated!

Cheers,
Martin


Replies (9)

RE: Allow XSS for a specific origin - Added by David Szego over 7 years ago

I ran into a problem where I couldn’t embed OpenProject into a frame (I was adding it as an “External Site” in NextCloud)

Not sure if that’s what you’re looking to do, but if so, and you’re running Apache as a gateway to OpenProject, try this:

in your Apache config file, likely:
/etc/apache2/sites-available/openproject.conf

under the line “Include /etc….” or anywhere in the <VirtualHost *:443> section, add:

SetEnv proxy-nokeepalive 1
RequestHeader set “X-Forwarded-Proto” “https”
Header unset X-Frame-Options
Header merge Cache-Control no-cache
Header set Access-Control-Allow-Origin “*”

and then restart Apache.

Cheers,
David.

RE: Allow XSS for a specific origin - Added by Deleted user over 7 years ago

Hello David,

thank you so much - it worked! I tried every configuration of the conf file I could imagine in the past, but never got it to work.

Thanks again for sharing your solution!

Cheers,
Martin

RE: Allow XSS for a specific origin - Added by Oliver Günther over 7 years ago

Please note that for the packaged installation, the OpenProject config at /etc/apache2/sites-available/openproject.conf will be regenerated upon calling openproject configure on every update.

A better way to place these overrides is in a new file in the directory /etc/openproject/addons/apache2/includes/vhost/, which is included by openproject.conf.

Best,
Oliver

RE: Allow XSS for a specific origin - Added by Deleted user over 7 years ago

Hello Oliver,

thank you for the heads up and suggestion!

Cheers,
Martin

RE: Allow XSS for a specific origin - Added by Deleted user over 6 years ago

Hello David, hello Oliver,

today I updated to OP 8 (magnificent, by the way!) and unfortunately XSS no longer works. I'm at a loss why that is the case. Do you guys have any idea what might have changed to cause this? I would be grateful for any advice!

Cheers,

Martin

RE: RE: Allow XSS for a specific origin - Added by Wieland Lindenthal over 6 years ago

Hi Martin,

I am not sure if I understand your setup right. However, one important change in 8.0 is the activation of a pretty restrictive Content Security Policy (CSP). We activate it to dramatically decrease the probability of XSS attacks.

So I think you should look at least at these two lines:

  • https://github.com/opf/openproject/blob/4cd874b550644960242a4f514be4add3fd4da0c6/config/initializers/secure_headers.rb#L49
  • https://github.com/opf/openproject/blob/4cd874b550644960242a4f514be4add3fd4da0c6/config/initializers/secure_headers.rb#L8

You probably need to overwrite the values according to your needs.

Wieland

RE: Allow XSS for a specific origin - Added by Deleted user over 6 years ago

Hi Wieland,

thank you for pointing me in the right direction! :)

Cheers,

Martin

RE: RE: Allow XSS for a specific origin - Added by Jens Ulferts over 6 years ago

When you are saying XSS no longer works, what exactly do you mean by that? What is the scenario in which you are trying to have cross domain functionality?

RE: Allow XSS for a specific origin - Added by Jens Ulferts over 6 years ago

Ah sorry, had the tab open for some hours and didn't see Wieland answering already.

  • (1 - 9/9)
Loading...