Hello Splunksters,
Well I am trying to keep a bit of security to avoid click-jacking, though find myself in a pickle..
I have found this link: https://answers.splunk.com/answers/104277/iframes-and-views-broken-after-splunk-6-upgrade.html
Though I would like to make slight mod and allow for a specific site to have access and not just allow all with the "False" setting.
Any ideas??
Could I use the " # external UI URIs " setting in the web.conf somehow?
Thanks!
Splunk uses x frame options header sameorigin. I also want to use allow-from but that is not supported on browsers like chrome and safari.
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types
If Splunk decided to use the header from Content-Security-Policy frame-ancestors, then you could state domains allowed.
You can actually do this now, while etc/system/local/web.conf contains x_frame_options_sameorigin = false
under the [settings] stanza, add
replyHeader.Content-Security-Policy = frame-ancestors self
Thanks @ben_leung, it works quite well. I checked it with Splunk Enterprise 8.1.2. In this version it's not even needed to set x_frame_options_sameorigin to false. It will be automatically overruled if you're on a domain, which is allowed by the Content-Security-Policy .
We use it like this:
replyHeader.Content-Security-Policy = frame-ancestors self https://example1.com https://example2.com