HSTS/CSP response headers

Lipscomb, Gary glipscomb at csu.edu.au
Mon Nov 5 00:11:54 EST 2018

Hi all,

We are in the process of upgrading from idp 3.3.3 to idp 3.4.0
• RHEL 7
• Tomcat 7
• Oracle 8

And have found the following new settings in idp.properties have broken our Blackboard site which links out to other web sites, sometimes in iframes.

# HSTS/CSP response headers
#idp.hsts = max-age=0
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';

The only reference we can find on the Shibboleth wiki is in relation to jetty.

I've been asked

I found the jira and emails where this was discussed but apart from that this is the only shib doc I can find referring to this (and it’s a different config format) - https://wiki.shibboleth.net/confluence/display/IDP30/Jetty93#Jetty93-ClickjackMitigation

My guess from the linked mdn docs is at the moment we probably  want Content-Security-Policy: frame-ancestors https://*.csu.edu.au and X-Frame-Options: allow-from https://*.csu.edu.au/ though I’m unsure from that doc if wildcards are supported on the X-Frame-options

Maybe we could use https://bb2.csu.edu.au/ (and equivs for devel and qa) if bb2 is the only place we want this but maybe there are more cases to discover – it looks like config could have the same issues as fine grained CORS config though maybe less of an issue for you if only in IDP config rather than all our httpds?

If your quoted values are the default I’m assuming the csp additions must be always on? There’s no way of turning off this new functionality completely (rather than configuring it permissively)?

Is the above suggestion feasible




This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.

More information about the users mailing list