Wednesday, August 31, 2011

New Browser Security Attributes in APEX 4.1

A friend recently asked if I could look into an issue he was experiencing with the new SkillBuilders Modal Page plug-in. The modal page would only display the loading image, no other content would ever load. After a little digging I tracked the issue down to some new features.

Oracle Application Express (APEX) 4.1 added two new Browser Security attributes: Cache and Embed in Frames. The attributes can be found by navigating to Shared Components > Security Attributes > Browser Security (region). Clicking on the items’ labels reveals some great documentation. I couldn’t find any other documentation online to link to so I’ve copied the contents here for everyone to see:

Cache

Enabling the cache allows the browser to save the contents of your application's pages in its cache, both in memory and on disk. If a user presses the browser back button, the page will typically be loaded from the cache, not from the server. If the cache is disabled, the browser is instructed to not save page content and will request it anew from the server.

From a security perspective the cache should be disabled, so the browser does not store sensitive data and will always request pages if the URL changes. Otherwise, it may even be possible to go back in the browser history after a logout and see cached content of the former session.

Disabling the browser cache will also prevent subtle back button issues with pages that use partial page refreshes for example pages with Interactive Reports.

If this item is set to "Disabled", Application Express will send the HTTP header cache-control: no-store which instructs the Browser to not cache the page contents on disk or in memory.

Note: This feature requires modern browsers that support the HTTP header response variable "cache-control".

 

Embed in Frames 

Use this attribute to control if the browser is allowed to display your application's pages within a frame:

  • Deny: The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • Allow from same origin: The page can only be displayed in a frame on the same origin as the page itself.
  • Allow: The page can be displayed in any frame.

Displaying pages within frames can be misused with "clickjacking" attacks, when an attacker uses multiple layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is hijacking clicks (and/or keystrokes) meant for their page and routing them to another page.

Note: This feature requires modern browsers that support the HTTP header response variable "X-Frame-Options".

 

If you’re still reading this well done! Winking smile

The Embed in Frames attribute was preventing the plug-in from working correctly - it was set to “Deny”. As the plug-in uses iframes, this attribute’s value must be set to either “Allow from same origin” or “Allow”. After upgrading to APEX 4.1, existing applications will be set to “Allow” but new applications will be set to “Deny”. Perhaps “Allow from same origin” would have been a better choice for the new default?

At the end of the day, the new Cache and Embed in Frames security attributes are very powerful in that they can help make your applications more secure with very little investment. Also, the additional benefits of the Cache feature sound great. However, developers should be mindful of the impact these attributes can have on their applications. Always test!

Wednesday, August 24, 2011

Upcoming Webinar – Introducing SkillBuilders Modal Plug-in

Our next Application Express plug-in is ready to be introduced to the community. Although our plug-ins are generally well documented, sometimes it’s easier to learn how to use something by seeing it in action – this is your chance!

Abstract

Modal windows are very popular these days – and for good reason. They can help focus users’ attention on new content without disturbing their overall context within an application – and they’re cool too! Our latest plug-in, SkillBuilders Modal Page, was designed to display entire APEX pages as modal dialogs. Rather than just release the plug-in into the wild, we thought we’d take the opportunity to provide some hands on training with it. If you’re in need of a modal page solution, or you’d simply like to learn more about installing and leveraging plug-ins in APEX, do not miss this session.

Click here to register.

As usual, it’s free to attend – but it’s real training. I’ll show you several scenarios where use of the plug-in could be beneficial. Then you’ll learn how to perform the same customizations on your own once you’ve downloaded the plug-in. Everything from installation of the plug-in to event bindings with jQuery will be covered.

The webinar will run on Wednesday, August 31 at 12pm EDT. To see other time zones, click the registration link and then on the “Show in my Time Zone” link at the top of the page.