Bug #26033
closed
Openscap report cannot open in iframe since CSRF headers
Description
When displaying an openscap report in 8.2, we end up having an iframe component with a CRSF error : 
This is due to the iframe calling an Openscap API endpoint as its src but the CSRF mitigation headers are missing.
Therefore the HTML report cannot be loaded, even though it is exists at /var/rudder/shared-files/root/files/<nodeId>/openscap_report.html
We should have a safe way to render the openscap HTML content directly into the page.
Files
Updated by 
Updated by
Updated by Nicolas CHARLES 9 days ago
- Priority changed from To review to 1 (highest)
Updated by François ARMAND 9 days ago
- Target version changed from 8.2 to 8.1
We will need to adapt the whole sanitization to make that work. We don't need any js on openscap reports.
Updated by François ARMAND 9 days ago
- Status changed from New to In progress
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
Updated by François ARMAND 9 days ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Clark ANDRIANASOLO
- Pull Request set to https://github.com/Normation/rudder-plugins/pull/777
Updated by Anonymous 8 days ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder:rudder-plugins|fa7a481066a28467f5c8316aed358bd688242b59.
Updated by Alexis Mousset 8 days ago
- Related to Architecture #26068: Deny iframes in Rudder added
Updated by Vincent MEMBRÉ 5 days ago
This bug has been fixed in Rudder plugin openscap v8.1.10-2.2
Updated by Vincent MEMBRÉ 5 days ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder plugin openscap v8.2.3-2.2