fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Add Cross-Origin-Opener-Policy header to login pages

Open JGpGH opened this issue 1 year ago • 1 comments

Cross-Origin-Opener-Policy header on login pages

Problem

It seems like by default the 0Auth Autorize page and perhaps other login pages do not have the Cross-Origin-Opener-Policy header present making the pages vulnerable to cross-site leaks. Combined with social engineering, an attacker could get enough information and control from the child window to take over someone's account by redirecting to the wrong 0Auth app.

Solution

Add Cross-Origin-Opener-Policy: same-origin header to login pages

Alternatives/workarounds

One alternative would be to inject the following in all login pages to close the application whenever it's opened from any other window The second one (probably the most secure and clean) is to use a K8 egress to add the header on all login pages; However the latter requires a little more complex deployment setup.

Related

  • https://github.com/FusionAuth/fusionauth-issues/issues/1510
  • https://github.com/FusionAuth/fusionauth-issues/issues/2095
  • https://github.com/FusionAuth/fusionauth-issues/issues/2847

JGpGH avatar Aug 21 '24 18:08 JGpGH

Thanks for the suggestion @JGpGH !

mooreds avatar Sep 23 '24 22:09 mooreds