Wednesday, August 31, 2011

New Browser Security Attributes in APEX 4.1

A friend recently asked if I could look into an issue he was experiencing with the new SkillBuilders Modal Page plug-in. The modal page would only display the loading image, no other content would ever load. After a little digging I tracked the issue down to some new features.

Oracle Application Express (APEX) 4.1 added two new Browser Security attributes: Cache and Embed in Frames. The attributes can be found by navigating to Shared Components > Security Attributes > Browser Security (region). Clicking on the items’ labels reveals some great documentation. I couldn’t find any other documentation online to link to so I’ve copied the contents here for everyone to see:

Cache

Enabling the cache allows the browser to save the contents of your application's pages in its cache, both in memory and on disk. If a user presses the browser back button, the page will typically be loaded from the cache, not from the server. If the cache is disabled, the browser is instructed to not save page content and will request it anew from the server.

From a security perspective the cache should be disabled, so the browser does not store sensitive data and will always request pages if the URL changes. Otherwise, it may even be possible to go back in the browser history after a logout and see cached content of the former session.

Disabling the browser cache will also prevent subtle back button issues with pages that use partial page refreshes for example pages with Interactive Reports.

If this item is set to "Disabled", Application Express will send the HTTP header cache-control: no-store which instructs the Browser to not cache the page contents on disk or in memory.

Note: This feature requires modern browsers that support the HTTP header response variable "cache-control".

 

Embed in Frames 

Use this attribute to control if the browser is allowed to display your application's pages within a frame:

  • Deny: The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • Allow from same origin: The page can only be displayed in a frame on the same origin as the page itself.
  • Allow: The page can be displayed in any frame.

Displaying pages within frames can be misused with "clickjacking" attacks, when an attacker uses multiple layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is hijacking clicks (and/or keystrokes) meant for their page and routing them to another page.

Note: This feature requires modern browsers that support the HTTP header response variable "X-Frame-Options".

 

If you’re still reading this well done! Winking smile

The Embed in Frames attribute was preventing the plug-in from working correctly - it was set to “Deny”. As the plug-in uses iframes, this attribute’s value must be set to either “Allow from same origin” or “Allow”. After upgrading to APEX 4.1, existing applications will be set to “Allow” but new applications will be set to “Deny”. Perhaps “Allow from same origin” would have been a better choice for the new default?

At the end of the day, the new Cache and Embed in Frames security attributes are very powerful in that they can help make your applications more secure with very little investment. Also, the additional benefits of the Cache feature sound great. However, developers should be mindful of the impact these attributes can have on their applications. Always test!

17 comments:

  1. Many Thanks to you for this information. I had this problem, and no idea why it wouldn't work. It's working now! THANKS!!

    ReplyDelete
  2. Thanks for this tip...I wonder why the plugin is not working correctly..it saved me tons of time

    ReplyDelete
  3. Ah! Spent a good 2 hours trying to fathom out why the demo apps would work and my new apps would not.

    Teach me to read all the notes!

    Many thanks indeed!

    ReplyDelete
  4. Hello Mr.Dan I applied all steps in video to install and make the the modal page work .. but unfortunately
    it didn't work .. and I made the security attributes changes but it still not working .. I am using Firefox browser last version

    Regards & Many Thanks

    ReplyDelete
  5. Anonymous,

    Please put up a demo of you application on apex.oracle.com. Email me your workspace credentials including the workspace name, user name, and password along with a description of how to reproduce the problem.

    Regards,
    Dan

    ReplyDelete
  6. Dear Dan,
    good day, I sent the access info to you but i didn't see any reply from you ..
    there are any problems in access info ??
    Please if there are any problem send to me ..
    many thanks
    Mohamed Elhalaby

    ReplyDelete
  7. Mohamed,

    I went to edit the plug-in and set the theme to a number from 1-5, not custom.

    It works fine.

    Regards,
    Dan

    ReplyDelete
  8. Dear Dan,
    Many many many thanks it works :D
    and thank you for your interest and I appreciate it ,

    I have another question ..
    Can I stop back to the previous page when i press the backspace button in the current page ??
    I hope that you got what I mean .

    Regards & Many thanks Mr.Dan for your support
    Mohamed Elhalaby

    ReplyDelete
  9. Mohamed,

    Not with these security settings, no. Try goggling "html prevent back button".

    Regards,
    Dan

    ReplyDelete
  10. Hi Dan,
    I'm using your plugin in a project but was missing a functionality that would have made my live easier: If you choose static url to reference the modal page, you don't have the option of passing in any page elements, say an ID. Therefor I added this code in your file apex_modal_page.js, starting from line 159:
    if (urlLocation === 'STATIC') {
    uiw._values.url = staticUrl;
    // replace item values in static utl with DOM-values
    // syntax requirement: element id is passed in at the respective position
    // using the following syntax #P000_ID#,#P000_NAME# etc.
    // added by Jürgen Sieben
    var UrlElements = staticUrl.split(':');
    if (UrlElements[7]){
    var itemIds = UrlElements[7].split(',');
    var itemId = "";
    for (var i = 0; i < itemIds.length; i++){
    itemId = itemIds[i].substr(0, itemIds[i].length - 1);
    itemIds[i] = $(itemId).val();
    }
    UrlElements[7] = itemIds.join(",");
    uiw._values.url = UrlElements.join(":");
    }
    }
    This allows for an enhanced static url syntax like in this example:
    f?p=&APP_ID.:200:&APP_SESSION.::NO::P200_ID:#P100_ID#
    btw.: Please remove a colon from your default static url ...
    I hope this enhancement is benefical for other users as well. Thanks for your well designed plugin!

    Best regards,
    Jürgen

    ReplyDelete
  11. Hi Dan:

    The service provider where I host my applications has upgraded yesterday to Application Express 4.2.0.00.27

    Now my SkillBuilders Modal Page (2.0.0) plugins don't work at all. They worked perfectly before yesterday, now they just do nothing. By the way, my RDS Customizable plugins don't work either.

    I've checked the [Browser Security] -> [Cache] and [Embed in Frames] settings. Cache is set to "Disabled", and Embed in Frames is set to "Allow from same origin".

    Is there anything else I should be checking? Do you know of any compatibility issues?

    Any and all assistance would be greatly appreciated!

    ReplyDelete
  12. Hi Jurgen,

    That's a good enhancement. I'll add this functionality in a future release of the plug-in. By the way, I recommend you use $v over jQuery's val method as that method doesn't know APEX items like $v does. Of course, you may end up with another issue if an item's value contains semicolons - something else to watch out for.

    Also, I'm not sure why I would remove a colon from the default static URL. Frankly I could remove all of the colons after the session ID but I chose to leave all of them there (along with a clear page cache example) to help others that may need them. An APEX URL has up to 9 values on the p parameter. While 7 and 8 are items and values (most of the time) position 9 is used to indicate printer friendly mode.

    Regards,
    Dan

    ReplyDelete
  13. Hi Anonymous,

    That's like saying I got a tune up and now my car wouldn't start, can you tell me what's wrong ;) I kid, I kid.

    Seriously though, I would need to see the problem. Try putting together an example and emailing me the details to reproduce. Make sure to include developer credentials.

    I'll get to it when I have time...

    Regards,
    Dan

    ReplyDelete
  14. aliya.insepova@kazakhmys.comNovember 26, 2012 at 6:02 AM

    Hello Dan.
    Thanks a lot, it's really good work. But I have one question. How to add on a module page the cancel button to back on previous page?

    ReplyDelete
  15. Aliya,

    Have your button redirect to a URL. Use the following for the URL:

    javascript:parent.$(parent.document).apex_modal_page('close');

    Regards,
    Dan

    ReplyDelete
  16. Hi!

    First of all, thank you for this plugin! And at second, you should add the information from this post to the manual or FAQ or something like that. God, I have spent a lot of time to find a reason why it doesn't work with one app and does with other one. Shame on me. :)

    Good luck,
    Alex

    ReplyDelete
  17. Alex,

    I'll look into adding a FAQ or something similar.

    Regards,
    Dan

    ReplyDelete