Project

General

Profile

Actions
Copy link

Bug #26033

closed

Openscap report cannot open in iframe since CSRF headers

Added by Clark ANDRIANASOLO 16 days ago. Updated 6 days ago.

Status:
Released
Priority:
1 (highest)
Assignee:
Clark ANDRIANASOLO
Target version:
Rudder plugins - 8.1
Pull Request:
https://github.com/Normation/rudder-p...
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
It bothers me each time
User visibility:
Getting started - demo | first install | Technique editor and level 1 Techniques
Effort required:
Small
Priority:
130
Name check:
To do
Fix check:
To do
Regression:
No

Description

When displaying an openscap report in 8.2, we end up having an iframe component with a CRSF error :

This is due to the iframe calling an Openscap API endpoint as its src but the CSRF mitigation headers are missing.
Therefore the HTML report cannot be loaded, even though it is exists at /var/rudder/shared-files/root/files/<nodeId>/openscap_report.html

We should have a safe way to render the openscap HTML content directly into the page.

Files

clipboard-202412061052-a2ttx.png (37.2 KB) clipboard-202412061052-a2ttx.png Clark ANDRIANASOLO, 2024-12-06 10:52

Subtasks 2 (0 open2 closed)

Bug #26065: OpenSCAP report needs to be rendered without iframe with sanitized htmlReleasedFrançois ARMANDActions
Bug #26066: OpenSCAP needs queryContext and has build issues from stale properties fileReleasedFrançois ARMANDActions

Related issues 1 (1 open0 closed)

Related to Rudder - Architecture #26068: Deny iframes in RudderPending releaseClark ANDRIANASOLOActions
Actions
Copy link

Also available in: Atom PDF