bugzilla.redhat.com
Open in
urlscan Pro
2a02:26f0:1700:799::762
Public Scan
URL:
https://bugzilla.redhat.com/show_bug.cgi?id=1980688
Submission: On March 15 via api from SE — Scanned from DE
Submission: On March 15 via api from SE — Scanned from DE
Form analysis 5 forms found in the DOM
POST show_bug.cgi?id=1980688
<form action="show_bug.cgi?id=1980688" method="POST" class="mini_login " id="mini_login">
<input id="Bugzilla_login" required="" name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address">
<input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password" required="" placeholder="Password">
<input type="hidden" name="Bugzilla_login_token" value="">
<input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in">
</form>POST token.cgi
<form action="token.cgi" method="post" id="forgot_form" class="mini_forgot bz_default_hidden">
<label for="login">Login:</label>
<input name="loginname" size="20" id="login" required="" type="email" placeholder="Your Email Address">
<input id="forgot_button" value="Reset Password" type="submit">
<input type="hidden" name="a" value="reqpw">
<input type="hidden" id="token" name="token" value="1647330068-YpVjy7hEyzHWBm_i0PkheKDU8K8VIw3cKlRI2BphZEs">
<p>
<a href="#" onclick="return hide_forgot_form('')"><i class="fa fa-exclamation-triangle" aria-hidden="true"></i> Hide Forgot</a>
</p>
</form>GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_top" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_top");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_top" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_top">
</form>Name: changeform — POST process_bug.cgi
<form name="changeform" id="changeform" method="post" action="process_bug.cgi">
<input type="hidden" name="delta_ts" value="2022-02-02 07:32:48">
<input type="hidden" name="id" value="1980688">
<input type="hidden" name="token" value="1647330068-D2mHJoerx874PIFM-hpdIMZhbPSAoEODwU2Rh6V22UY">
<div class="bz_short_desc_container edit_form">
<a href="show_bug.cgi?id=1980688"><b>Bug 1980688</b></a> <span id="summary_container"> (<span id="alias_nonedit_display">CVE-2021-3660</span>) - <span
id="short_desc_nonedit_display"><a href="https://access.redhat.com/security/cve/CVE-2021-3660">CVE-2021-3660</a> cockpit: pages vulnerable to clickjacking</span>
</span>
<div id="summary_input" class="bz_default_hidden"><span class="field_label " id="field_label_short_desc">
<a title="The bug summary is a short sentence which succinctly describes what the bug is about." class="field_help_link" href="page.cgi?id=fields.html#short_desc">Summary:</a>
</span>CVE-2021-3660 cockpit: pages vulnerable to clickjacking </div>
</div>
<script type="text/javascript">
hideEditableField('summary_container', 'summary_input', 'summary_edit_action', 'short_desc', 'CVE-2021-3660 cockpit: pages vulnerable to clickjacking');
</script>
<table class="edit_form">
<tbody>
<tr>
<td id="bz_show_bug_column_1" class="bz_show_bug_column">
<table>
<tbody>
<tr>
<th class="field_label">
<a href="describekeywords.cgi">Keywords</a>:
</th>
<td>
<div class="keywords_select">
<select id="keywords" name="keywords" disabled="" multiple="multiple" tabindex="-1" class="selectized" style="display: none;">
<option value="Security" selected="selected">Security </option>
</select>
<div class="selectize-control multi plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-related_fields plugin-load_from_js">
<div class="selectize-input items not-full has-options has-items disabled locked">
<div class="item"
title="Bugs with the "Security" keyword are those that relate to a security vulnerability with a Red Hat product or service. For further information on how to report a security vulnerability to Red Hat please see the "Security Contacts and Procedures" page at http://www.redhat.com/security/team/contact/"
data-value="Security">Security <a href="javascript:void(0)" class="remove" tabindex="-1" title="Remove">×</a></div><input type="select-multiple" autocomplete="off" tabindex="-1" id="keywords-selectized" disabled=""
style="width: 4px;">
</div>
<div class="selectize-dropdown multi plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-related_fields plugin-load_from_js" style="display: none;">
<div class="selectize-dropdown-content"></div>
</div>
</div>
</div>
</td>
</tr>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#bug_status">Status</a>:
</th>
<td id="bz_field_status">
<span id="static_bug_status">NEW </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_alias">
<a title="A short, unique name assigned to a bug in order to assist with looking it up and referring to it in other places in Bugzilla." class="field_help_link" href="page.cgi?id=fields.html#alias">Alias:</a>
</th>
<td>CVE-2021-3660 </td>
</tr>
<tr>
<th class="field_label " id="field_label_product">
<a title="Bugs are categorised into Products and Components. Select a Classification to narrow down this list." class="field_help_link" href="describecomponents.cgi">Product:</a>
</th>
<td class="field_value " id="field_container_product">Security Response </td>
</tr>
<tr class="bz_default_hidden">
<th class="field_label " id="field_label_classification">
<a title="Bugs are categorised into Classifications, Products and Components. classifications is the top-level categorisation." class="field_help_link" href="page.cgi?id=fields.html#classification">Classification:</a>
</th>
<td class="field_value " id="field_container_classification">Other </td>
</tr>
<tr>
<th class="field_label " id="field_label_component">
<a title="Components are second-level categories; each belongs to a particular Product. Select a Product to narrow down this list." class="field_help_link" href="describecomponents.cgi?product=Security Response">Component:</a>
</th>
<td>
<input type="hidden" id="component" name="component" value="vulnerability">vulnerability <span class="show_others">
<a href="buglist.cgi?component=vulnerability&product=Security%20Response" title="Show other bugs for this component"><i class="fas fa-th-list"></i></a>
<a href="enter_bug.cgi?component=vulnerability&product=Security%20Response&version=unspecified" title="Create a new bug for this component"><i class="fas fa-plus-circle"></i></a>
</span>
</td>
</tr>
<tr>
<th id="bz_rh_sub_component_input_th" class="field_label bz_default_hidden">
<label for="rh_sub_component-selectized" class="selectized">
<a class="field_help_link" href="page.cgi?id=fields.html#rh_sub_components" title="The sub component of a specific component">Sub Component:</a>
</label>
</th>
<td id="bz_rh_sub_component_input_td" class="bz_default_hidden">
<input type="hidden" name="defined_rh_sub_component" id="defined_rh_sub_component" value="0">
<select name="rh_sub_component" id="rh_sub_component" disabled="" onchange="assign_to_default();" placeholder="Type a sub-component name" tabindex="-1" class="selectized" style="display: none;">
<option value="" selected="selected"></option>
</select>
<div class="selectize-control single plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-form_history plugin-related_fields">
<div class="selectize-input items not-full disabled locked"><input type="select-one" autocomplete="off" tabindex="-1" id="rh_sub_component-selectized" placeholder="Type a sub-component name" disabled="" style="width: 172.391px;">
</div>
<div class="selectize-dropdown single plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-form_history plugin-related_fields" style="display: none;">
<div class="selectize-dropdown-content"></div>
</div>
</div>
<script>
$(document).ready(function() {
if (!$('#rh_sub_component').hasClass('selectized')) {
init_sub_components();
}
});
</script>
<span class="show_others">
<a href="buglist.cgi?component=vulnerability&product=Security%20Response" title="Show other bugs for this sub-component"><i class="fas fa-th-list"></i></a>
</span>
</td>
</tr>
<script>
function rh_check_sub_components() {
var ret = '';
var sub_comp_obj = document.getElementById('rh_sub_component');
if ($('#defined_rh_sub_component').val() == 1 && !$("#rh_sub_component").selectize()[0].selectize.getValue()) {
if (!ret) ret = sub_comp_obj;
_sub_comps_errorFor(sub_comp_obj, "You must specify the sub component");
}
return ret;
}
function _sub_comps_errorFor(field, error_text) {
var new_node = document.createElement('div');
YAHOO.util.Dom.addClass(new_node, 'validation_error_text');
new_node.innerHTML = error_text;
YAHOO.util.Dom.insertAfter(new_node, field);
YAHOO.util.Dom.addClass(field, 'validation_error_field');
new_node.scrollIntoView();
}
</script>
<tr>
<th class="field_label " id="field_label_version">
<a title="The version field defines the version of the software the bug was found in." class="field_help_link" href="page.cgi?id=fields.html#version">Version:</a>
</th>
<td>
<span id="version">unspecified </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_rep_platform">
<a title="The hardware platform the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=fields.html#rep_platform">Hardware:</a>
</th>
<td class="field_value">All </td>
</tr>
<tr>
<th class="field_label " id="field_label_op_sys">
<a title="The operating system the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=fields.html#op_sys">OS:</a>
</th>
<td class="field_value"> Linux </td>
</tr>
<tr>
<th class="field_label">
<label accesskey="i">
<a href="page.cgi?id=fields.html#priority">Priority:</a></label>
</th>
<td>low </td>
</tr>
<tr>
<th class="field_label">
<label><a href="page.cgi?id=fields.html#bug_severity">Severity:</a>
</label>
</th>
<td> low </td>
</tr>
<tr>
<th class="field_label " id="field_label_target_milestone">
<a title="The Target Milestone field is used to define when the engineer the bug is assigned to expects to fix it." class="field_help_link" href="page.cgi?id=fields.html#target_milestone">Target Milestone:</a>
</th>
<td>
<span id="target_milestone">--- </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_assigned_to">
<a title="The person in charge of resolving the bug." class="field_help_link" href="page.cgi?id=fields.html#assigned_to">Assignee:</a>
</th>
<td><span class="vcard redhat_user"><span class="fn">Red Hat Product Security</span>
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_qa_contact">
<a title="The person responsible for confirming this bug if it is unconfirmed, and for verifying the fix once the bug has been resolved." class="field_help_link" href="page.cgi?id=fields.html#qa_contact">QA Contact:</a>
</th>
<td><span class="vcard ">
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_docs_contact">
<label for="docs_contact" accesskey="q">
<a title="The person responsible for documenting once the bug has been resolved." class="field_help_link" href="page.cgi?id=fields.html#docs_contact">Docs Contact:</a>
</label>
</th>
<td><span class="vcard ">
</span>
</td>
</tr>
<script type="text/javascript">
assignToDefaultOnChange(['product', 'component'], 'security-response-team\x40redhat.com', '', '');
</script>
<tr>
<th class="field_label " id="field_label_bug_file_loc">
<a title="Bugs can have a URL associated with them - for example, a pointer to a web site where the problem is seen." class="field_help_link" href="page.cgi?id=fields.html#bug_file_loc">URL:</a>
</th>
<td>
<span id="bz_url_input_area">
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_status_whiteboard">
<a title="Each bug has a free-form single line text entry box for adding tags and status information." class="field_help_link" href="page.cgi?id=fields.html#status_whiteboard">Whiteboard:</a>
</th>
<td>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_dependson">
<a title="The bugs listed here must be resolved before this bug can be resolved." class="field_help_link" href="page.cgi?id=fields.html#dependson">Depends On:</a>
</th>
<td>
<span id="dependson_input_area">
</span>
<a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1984902">1984902</a> <a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1984951">1984951</a> <a class="bz_bug_link
bz_status_CLOSED bz_closed
" title="CLOSED ERRATA - CVE-2021-3660 cockpit: pages vulnerable to clickjacking [fedora-all]" href="show_bug.cgi?id=1984907">1984907</a> <a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1993778">1993778</a>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_blocked">
<a title="This bug must be resolved before the bugs listed in this field can be resolved." class="field_help_link" href="page.cgi?id=fields.html#blocked">Blocks:</a>
</th>
<td>
<span id="blocked_input_area">
</span>
<a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1970978">1970978</a>
</td>
</tr>
<tr>
<th class="field_label">TreeView+</th>
<td>
<a href="buglist.cgi?bug_id=1980688&bug_id_type=anddependson&format=tvp">
depends on</a> / <a href="buglist.cgi?bug_id=1980688&bug_id_type=andblocked&format=tvp&tvp_dir=blocked">
blocked</a>
</td>
<td></td>
</tr>
</tbody>
</table>
</td>
<td>
<div class="bz_column_spacer"> </div>
</td>
<td id="bz_show_bug_column_2" class="bz_show_bug_column">
<table>
<tbody>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#reporter">Reported:</a>
</th>
<td>2021-07-09 09:25 UTC by <span class="vcard redhat_user"><span class="fn">Cedric Buissart</span>
</span>
</td>
</tr>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#modified">Modified:</a>
</th>
<td>2022-02-02 07:32 UTC (<a href="show_activity.cgi?id=1980688">History</a>) </td>
</tr>
<tr>
<th class="field_label">
<label accesskey="a">
<a href="page.cgi?id=fields.html#cclist">CC List:</a>
</label>
</th>
<td>21 users <span id="cc_edit_area_showhide_container"> (<a href="#" id="cc_edit_area_showhide">show</a>) </span>
<div id="cc_edit_area" class="bz_default_hidden">
<br>
<select id="cc" multiple="multiple" size="5">
<option value="bmontgom">bmontgom</option>
<option value="dblechte">dblechte</option>
<option value="dfediuck">dfediuck</option>
<option value="dperpeet">dperpeet</option>
<option value="eedri">eedri</option>
<option value="eparis">eparis</option>
<option value="jburrell">jburrell</option>
<option value="michal.skrivanek">michal.skrivanek</option>
<option value="mmarusak">mmarusak</option>
<option value="mpitt">mpitt</option>
<option value="nstielau">nstielau</option>
<option value="patrick">patrick</option>
<option value="pvolpe">pvolpe</option>
<option value="sbonazzo">sbonazzo</option>
<option value="security-response-team">security-response-team</option>
<option value="sfowler">sfowler</option>
<option value="sherold">sherold</option>
<option value="sponnaga">sponnaga</option>
<option value="stefw">stefw</option>
<option value="tcrider">tcrider</option>
<option value="yturgema">yturgema</option>
</select>
</div>
<script type="text/javascript">
hideEditableField('cc_edit_area_showhide_container', 'cc_edit_area', 'cc_edit_area_showhide', '', '');
</script>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_fixed_in">
<a title="The full package version. PGM uses to check if brew ...">Fixed In Version:</a>
</th>
<td class="field_value " id="field_container_cf_fixed_in" colspan="2">
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_doc_type">
<a title="Click the information icon to the right to see the description">Doc Type:</a>
<i class="fas fa-info-circle pop-text" onclick="alertify.alert('Doc Type', BB_FIELDS['cf_doc_type'].long_desc)" title="Click to see full description"></i>
</th>
<td class="field_value " id="field_container_cf_doc_type" colspan="2">If docs needed, set a value <span id="cf_doc_warn"></span></td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_release_notes">
<a title="Click the information icon to the right to see the description">Doc Text:</a>
<i class="fas fa-info-circle pop-text" onclick="alertify.alert('Doc Text', BB_FIELDS['cf_release_notes'].long_desc)" title="Click to see full description"></i>
</th>
<td class="field_value " id="field_container_cf_release_notes" colspan="2">
<div class="uneditable_textarea">Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may
be used by a malicious website in clickjacking or similar attacks.</div>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_clone_of">
<a title="The bug listed here was the bug cloned to create thi...">Clone Of:</a>
</th>
<td class="field_value " id="field_container_cf_clone_of" colspan="2">
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_environment">
<a title="This field is used for unformatted text that helps t...">Environment:</a>
</th>
<td class="field_value " id="field_container_cf_environment" colspan="2">
<div class="uneditable_textarea"></div>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_last_closed">
<a title="When this bug was last marked as closed. Used for st...">Last Closed:</a>
</th>
<td class="field_value " id="field_container_cf_last_closed" colspan="2">
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="3">
<hr id="bz_top_half_spacer">
</td>
</tr>
</tbody>
</table>
<table id="bz_big_form_parts">
<tbody>
<tr>
<td>
<script type="text/javascript">
<!--
function toggle_display(link) {
var table = document.getElementById("attachment_table");
var view_all = document.getElementById("view_all");
var hide_obsolete_url_parameter = "&hide_obsolete=1";
// Store current height for scrolling later
var originalHeight = table.offsetHeight;
var rows = YAHOO.util.Dom.getElementsByClassName('bz_tr_obsolete', 'tr', table);
for (var i = 0; i < rows.length; i++) {
bz_toggleClass(rows[i], 'bz_default_hidden');
}
if (YAHOO.util.Dom.hasClass(rows[0], 'bz_default_hidden')) {
link.innerHTML = "Show Obsolete";
view_all.href = view_all.href + hide_obsolete_url_parameter
} else {
link.innerHTML = "Hide Obsolete";
view_all.href = view_all.href.replace(hide_obsolete_url_parameter, "");
}
var newHeight = table.offsetHeight;
// This scrolling makes the window appear to not move at all.
window.scrollBy(0, newHeight - originalHeight);
return false;
}
//
-->
</script>
<br>
<table id="attachment_table">
<tbody>
<tr id="a0">
<th align="left"> Attachments </th>
<th colspan="2" align="right">
<a href="page.cgi?id=terms-conditions.html">(Terms of Use)</a>
</th>
</tr>
<tr class="bz_attach_footer">
<td colspan="3">
<a href="attachment.cgi?bugid=1980688&action=enter">Add an attachment</a> (proposed patch, testcase, etc.)
</td>
</tr>
</tbody>
</table>
<br>
<script>
YAHOO.ExternalBugs.sUrlYUI = 'https://bugzilla.redhat.com/jsonrpc.cgi';
YAHOO.ExternalBugs.sUrlRPC = 'https://bugzilla.redhat.com/xmlrpc.cgi';
YAHOO.ExternalBugs.extRefreshList = [];
function _extbz_errorFor(field, error_text) {
var new_node = document.createElement('div');
YAHOO.util.Dom.addClass(new_node, 'validation_error_text');
new_node.innerHTML = error_text;
YAHOO.util.Dom.insertAfter(new_node, field);
YAHOO.util.Dom.addClass(field, 'validation_error_field');
return new_node;
}
function check_external_bugs(f) {
var focus_me;
var external_bugs = YAHOO.util.Dom.getElementsByClassName('external_bug_id', null, f);
for (var i = 0; i < external_bugs.length; i++) {
var bug_id_key = external_bugs[i].name;
var bug_type_key = 'external_' + bug_id_key.substr(13);
if ($('#' + bug_id_key).length > 0) {
var bug_id = document.getElementById(bug_id_key).value;
var bug_type = document.getElementById(bug_type_key).value;
if ((bug_type == '' || bug_type == '0') && bug_id != '') {
focus_me = _extbz_errorFor(document.getElementById(bug_type_key), 'You specified the external tracker id, but not the type');
} else if (bug_type != '' && bug_type != '0' && bug_id == '') {
focus_me = _extbz_errorFor(external_bugs[i], 'You specified the external tracker type, but not the id');
} else if (bug_type != '' && bug_id != '') {}
}
}
return focus_me;
}
var bz_no_validate_enter_bug = false;
function validateChangeBug(changeform) {
// This is for the "bookmarkable templates" button.
if (bz_no_validate_enter_bug) {
// Set it back to false for people who hit the "back" button
bz_no_validate_enter_bug = false;
return true;
}
var current_errors = YAHOO.util.Dom.getElementsByClassName('validation_error_text', null, changeform);
for (var i = 0; i < current_errors.length; i++) {
current_errors[i].parentNode.removeChild(current_errors[i]);
}
var current_error_fields = YAHOO.util.Dom.getElementsByClassName('validation_error_field', null, changeform);
for (var i = 0; i < current_error_fields.length; i++) {
var field = current_error_fields[i];
YAHOO.util.Dom.removeClass(field, 'validation_error_field');
}
var focus_me;
// REDHAT EXTENSION 1000743
focus_me = check_external_bugs(changeform);
if (focus_me) {
focus_me.scrollIntoView(false);
return false;
}
return true;
}
changeform.onsubmit = function() {
return validateChangeBug(changeform)
};
</script>
<br>
<table id="external_bugs_table" cellspacing="0" cellpadding="4">
<caption name="et0" id="et0">Links</caption>
<tbody>
<tr>
<th>System</th>
<th>ID</th>
<th>Private</th>
<th>Priority</th>
<th>Status</th>
<th>Summary</th>
<th>Last Updated</th>
</tr>
<tr id="ext_row_1832683">
<td>Github </td>
<td>
<a href="https://github.com/cockpit-project/cockpit/issues/16122">cockpit-project cockpit issues 16122</a>
</td>
<td>
<span id="ext_is_private_1832683">0 </span>
</td>
<td>
<span id="ext_priority_1832683">None </span>
</td>
<td>
<span id="ext_status_1832683">open </span>
</td>
<td>
<span id="ext_description_1832683" title="Is cockpit vulnerable to clickjacking?">Is cockpit vulnerable to clickjacking? </span>
</td>
<td>
<span id="ext_last_updated_1832683">2021-07-22 04:37:59 UTC </span>
</td>
</tr>
</tbody>
</table>
<br>
</td>
<td class="groups">
</td>
</tr>
</tbody>
</table>
<div id="comments">
<script type="text/javascript">
<!--
/* Adds the reply text to the 'comment' textarea */
function replyToComment(id, real_id, name) {
var prefix = "(In reply to " + name + " from comment #" + id + ")\n";
var replytext = "";
/* pre id="comment_name_N" */
var text_elem = document.getElementById('comment_text_' + id);
var text = getText(text_elem);
replytext = prefix + wrapReplyText(text);
/* <textarea id="comment"> */
var textarea = document.getElementById('comment');
if (textarea.value != replytext) {
textarea.value += replytext;
}
textarea.focus();
}
//
-->
</script>
<!-- This auto-sizes the comments and positions the collapse/expand links
to the right. -->
<table class="bz_comment_table">
<tbody>
<tr>
<td>
<div id="c0" class="bz_comment bz_first_comment
">
<div class="bz_first_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c0">Description</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Cedric Buissart</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-07-09 09:25:56 UTC </span>
</div>
<pre class="bz_comment_text">Cockpit (and its plugins) do not seem to protect itself against clickjacking : it is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry.
This may be used by a malicious website in clickjacking, or similar, attacks.
To prevent this behavior, a X-Frame-Options header could be added to the responses.
</pre>
</div>
<div id="c2" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c2">Comment 2</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-07-09 09:56:58 UTC </span>
</div>
<pre class="bz_comment_text">You mean you can embed a Cockpit iframe into other web pages? That's actually explicitly documented/supported: <a href="https://cockpit-project.org/guide/latest/embedding.html">https://cockpit-project.org/guide/latest/embedding.html</a>
If I understand you correctly, you want to disable that (at least by default)? If embedding is not en vogue any more, we could default to "X-Frame-Options: sameorigin" [1] (which should at least retain the reverse-proxy case, like in Foreman/Satellite), and provide an option in cockpit.conf to open it up further?
[1] <a href="https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options">https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options</a>
</pre>
</div>
<div id="c3" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c3">Comment 3</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Cedric Buissart</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-07-09 11:45:05 UTC </span>
</div>
<pre class="bz_comment_text">The behavior triggers warnings on Web testing tools (e.g.: Burp Suite).
The issue comes from the fact that a malicious site may target a user known to be logged in cockpit, by, for example, hiding a cockpit page in a transparent frame, which might be clicked on by the user.
</pre>
</div>
<div id="c4" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c4">Comment 4</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Cedric Buissart</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-07-20 08:29:43 UTC </span>
</div>
<pre class="bz_comment_text">Hello Martin,
Yes, I think limiting the range of pages accessible via iFrames might be a good thing. At first sight, the attacks are very limited, since cockpit uses Web Sockets rather than GET/POST, but it might still be doable to do things like temporarily disable SELinux, since that button is accessible from a single click.
</pre>
</div>
<div id="c5" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c5">Comment 5</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-07-22 04:38:03 UTC </span>
</div>
<pre class="bz_comment_text">Cedric: We'll investigate this. However, this is already public in pretty much the widest possible way: It is documented upstream [1], as a corresponding upstream issue [2], and has existed for many years. Does it make sense to keep this embargoed? If not, can this become a normal public bug against cockpit in RHEL 8?
[1] <a href="https://cockpit-project.org/guide/latest/embedding.html">https://cockpit-project.org/guide/latest/embedding.html</a>
[2] <a href="https://github.com/cockpit-project/cockpit/issues/16122">https://github.com/cockpit-project/cockpit/issues/16122</a>
</pre>
</div>
<div id="c6" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c6">Comment 6</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Cedric Buissart</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-07-22 08:58:59 UTC </span>
</div>
<pre class="bz_comment_text">In reply to <a href="show_bug.cgi?id=1980688#c5">comment #5</a>:
<span class="quote">> Cedric: We'll investigate this. However, this is already public in pretty
> much the widest possible way: It is documented upstream [1], as a
> corresponding upstream issue [2], and has existed for many years. Does it
> make sense to keep this embargoed? </span>
No, indeed, it doesn't. I am making it public
<span class="quote">> If not, can this become a normal public bug against cockpit in RHEL 8?</span>
However, I think this warrants a CVE, as other Web applications have been treated similarly (recent examples : Jenkins & Kibana). This bug will be the generic flaw bug, describing the vulnerability, and I will open a tracker bug dedicated to RHEL-8 separately.
</pre>
</div>
<div id="c9" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c9">Comment 9</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Cedric Buissart</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-07-22 12:57:02 UTC </span>
</div>
<pre class="bz_comment_text">Created cockpit tracking bugs for this issue:
Affects: fedora-all [<a class="bz_bug_link
bz_status_CLOSED bz_closed
" title="CLOSED ERRATA - CVE-2021-3660 cockpit: pages vulnerable to clickjacking [fedora-all]" href="show_bug.cgi?id=1984907">bug 1984907</a>]
</pre>
</div>
<div id="c13" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c13">Comment 13</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Sandro Bonazzola</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-02 07:10:14 UTC </span>
</div>
<pre class="bz_comment_text">Is this affecting also RHEL 7?
</pre>
</div>
<div id="c14" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c14">Comment 14</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-02 07:16:42 UTC </span>
</div>
<pre class="bz_comment_text">Yes, the embedding feature has been in cockpit since pretty much day one.
</pre>
</div>
<div id="c17" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c17">Comment 17</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-13 13:30:12 UTC </span>
</div>
<pre class="bz_comment_text">@<a href="mailto:cbuissar@redhat.com">cbuissar@redhat.com</a> I looked into this more deeply now in <a href="https://github.com/cockpit-project/cockpit/pull/16342">https://github.com/cockpit-project/cockpit/pull/16342</a> . I first created a test which ensures that same-origin frame embedding actually works outside of the cockpit web server [1]. That's the case which we care about, which we want to support (and I think there is no contention here). Before, we only tested frame embedding inside of a cockpit session [2], which is not a realistic use case.
As I mentioned above, I have a hard time to actually get a cross-origin cockpit frame to work. I tested this with Chromium 90.0.4430 and Firefox 92.0, with your reproducer and with our test setup, and due to the "SameSite: strict" cookie policy, cross-origin frames don't retain authentication and thus I keep getting the login page. I wrote another test case for this [4] which gets the same result (it also illustrates that and where it should really fail, with setting X-Frame-Options:).
I would really like to understand *if* and *how* you were able to do this (as you wrote a reproducer). Did you actually see the authenticated pages, or just the login page? If the former, what exact browser, OS, cockpit version did you use? Where did you run cockpit, same or different machine as your file:/// reproducer?
Thanks!
[1] <a href="https://github.com/cockpit-project/cockpit/pull/16342/commits/2a3b6854107ec7f1713a8da7eaeb7c666bf0ee0e">https://github.com/cockpit-project/cockpit/pull/16342/commits/2a3b6854107ec7f1713a8da7eaeb7c666bf0ee0e</a>
[2] <a href="https://github.com/cockpit-project/cockpit/blob/main/test/verify/check-embed">https://github.com/cockpit-project/cockpit/blob/main/test/verify/check-embed</a>
[3] <a href="https://github.com/cockpit-project/cockpit/commit/46f6839d1af4e662648a85f3e54bba2d57f39f0e">https://github.com/cockpit-project/cockpit/commit/46f6839d1af4e662648a85f3e54bba2d57f39f0e</a>
[4] <a href="https://github.com/cockpit-project/cockpit/pull/16342/commits/f49ad4874e1b936abfb60607df735698cb672ae4">https://github.com/cockpit-project/cockpit/pull/16342/commits/f49ad4874e1b936abfb60607df735698cb672ae4</a>
</pre>
</div>
<div id="c18" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c18">Comment 18</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-14 07:40:01 UTC </span>
</div>
<pre class="bz_comment_text">I now pushed the actual X-F-O bits/documentation/test to <a href="https://github.com/cockpit-project/cockpit/pull/16342">https://github.com/cockpit-project/cockpit/pull/16342</a> and added a release note/screenshot.
However, for evaluating the impact/backporting to stable releases etc., I'm still interested in whether this was really exploitable before, or you just saw the login page. Thanks!
</pre>
</div>
<div id="c23" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c23">Comment 23</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Sandro Bonazzola</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-17 14:28:02 UTC </span>
</div>
<pre class="bz_comment_text">(In reply to Martin Pitt from <a href="show_bug.cgi?id=1980688#c14">comment #14</a>)
<span class="quote">> Yes, the embedding feature has been in cockpit since pretty much day one.</span>
Shouldn't we have a tracker for RHEL 7 here as well then?
</pre>
</div>
<div id="c25" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c25">Comment 25</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-20 06:44:54 UTC </span>
</div>
<pre class="bz_comment_text">Cedric: Ah-aa! thanks for the screenshot. Your target system was RHEL 8.3, I only tried with 8.4, 8.5, and Fedora. 8.3 still had a non-strict cookie policy, which got tightened in <a class="bz_bug_link
bz_status_CLOSED bz_closed
" title="CLOSED ERRATA - cockpit SameSite cookie attribute not present in Set-Cookie responses" href="show_bug.cgi?id=1891944">bug 1891944</a> / <a href="https://github.com/cockpit-project/cockpit/commit/46f6839d1af4e6">https://github.com/cockpit-project/cockpit/commit/46f6839d1af4e6</a> . That's the bit which prevents sending the login cookie through cross-origin frames, and mitigates most of the actual fallout here.
I can reproduce this with file:// now, with Firefox against the current RHEL 8.3 cloud image:
qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=rhel-guest-image-8.3-401.x86_64.qcow2,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::2201-:22,hostfwd=tcp::9999-:9090
So indeed this only really affects Cockpit < 236, i.e. RHEL 8.3 and below. Of course setting XFO should still be done (and we'll land that).
</pre>
</div>
<div id="c26" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c26">Comment 26</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Sandro Bonazzola</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-23 07:00:47 UTC </span>
</div>
<pre class="bz_comment_text">(In reply to Martin Pitt from <a href="show_bug.cgi?id=1980688#c25">comment #25</a>)
<span class="quote">> So indeed this only really affects Cockpit < 236, i.e. RHEL 8.3 and below.
> Of course setting XFO should still be done (and we'll land that).</span>
So it seems this also affects RHEL 7.9 right?
</pre>
</div>
<div id="c27" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1980688#c27">Comment 27</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-09-23 09:35:48 UTC </span>
</div>
<pre class="bz_comment_text">Sandro, correct.
</pre>
</div>
<script>
$(document).ready(function() {
var mysel = document.getElementsByClassName('flag_type-415')[0];
var relnotes = document.getElementById('cf_release_notes');
if (mysel && relnotes && relnotes.value != '' && relnotes.value != cf_doc_type_text[document.getElementById('cf_doc_type').value] && mysel.options[mysel.selectedIndex].value != '+') document.getElementById('cf_doc_warn')
.innerHTML = '<div class="warning "><b>Warning: Doc Text is not yet verified as correct</b></div>';
});
</script>
</td>
<td>
</td>
</tr>
</tbody>
</table>
</div>
<hr>
<div id="add_comment" class="bz_section_additional_comments">
<table>
<tbody>
<tr>
<td>
<fieldset>
<legend>Note</legend> You need to <a href="show_bug.cgi?id=1980688&GoAheadAndLogIn=1">log in</a> before you can comment on or make changes to this bug.
</fieldset>
</td>
</tr>
</tbody>
</table>
</div>
</form>GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_bottom" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_bottom");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_bottom" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_bottom">
</form>Text Content
Login
[x]
* Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
* Forgot Password
Login:
Hide Forgot
* Create an Account
Red Hat Bugzilla – Bug 1980688
*
[?]
*
* New
* * Simple Search
* Advanced Search
* My Links
* Browse
* Requests
* Reports
* Current State
* Search
* Tabular reports
* Graphical reports
* Duplicates
* Other Reports
* User Changes
* Plotly Reports
* Bug Status
* Bug Severity
* Non-Defaults
* | Product Dashboard
* Help
* Page Help!
* Bug Writing Guidelines
* What's new
* Browser Support Policy
* 5.0.4.rh68 Release notes
* FAQ
* Guides index
* User guide
* Web Services
* Contact
* Legal
Note: If your use of the APIs is failing with an error titled 'API access must
use the Authorization header' then you need to read the API Authentication
changes announcement
This site requires JavaScript to be enabled to function correctly, please enable
it.
*
*
*
*
*
*
Bug 1980688 (CVE-2021-3660) - CVE-2021-3660 cockpit: pages vulnerable to
clickjacking
Summary: CVE-2021-3660 cockpit: pages vulnerable to clickjacking
Keywords:
Security
Security ×
Status: NEW Alias: CVE-2021-3660 Product: Security Response Classification:
Other Component: vulnerability Sub Component:
Version: unspecified Hardware: All OS: Linux Priority: low Severity: low Target
Milestone: --- Assignee: Red Hat Product Security QA Contact: Docs Contact: URL:
Whiteboard: Depends On: 1984902 1984951 1984907 1993778 Blocks: 1970978
TreeView+ depends on / blocked
Reported: 2021-07-09 09:25 UTC by Cedric Buissart Modified: 2022-02-02 07:32 UTC
(History) CC List: 21 users (show)
bmontgom dblechte dfediuck dperpeet eedri eparis jburrell michal.skrivanek
mmarusak mpitt nstielau patrick pvolpe sbonazzo security-response-team sfowler
sherold sponnaga stefw tcrider yturgema
Fixed In Version: Doc Type: If docs needed, set a value Doc Text:
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It
is possible to render a page from a cockpit server via another website, inside
an <iFrame> HTML entry. This may be used by a malicious website in clickjacking
or similar attacks.
Clone Of: Environment:
Last Closed:
--------------------------------------------------------------------------------
Attachments (Terms of Use) Add an attachment (proposed patch, testcase, etc.)
Links System ID Private Priority Status Summary Last Updated Github
cockpit-project cockpit issues 16122 0 None open Is cockpit vulnerable to
clickjacking? 2021-07-22 04:37:59 UTC
Description Cedric Buissart 2021-07-09 09:25:56 UTC
Cockpit (and its plugins) do not seem to protect itself against clickjacking : it is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry.
This may be used by a malicious website in clickjacking, or similar, attacks.
To prevent this behavior, a X-Frame-Options header could be added to the responses.
Comment 2 Martin Pitt 2021-07-09 09:56:58 UTC
You mean you can embed a Cockpit iframe into other web pages? That's actually explicitly documented/supported: https://cockpit-project.org/guide/latest/embedding.html
If I understand you correctly, you want to disable that (at least by default)? If embedding is not en vogue any more, we could default to "X-Frame-Options: sameorigin" [1] (which should at least retain the reverse-proxy case, like in Foreman/Satellite), and provide an option in cockpit.conf to open it up further?
[1] https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options
Comment 3 Cedric Buissart 2021-07-09 11:45:05 UTC
The behavior triggers warnings on Web testing tools (e.g.: Burp Suite).
The issue comes from the fact that a malicious site may target a user known to be logged in cockpit, by, for example, hiding a cockpit page in a transparent frame, which might be clicked on by the user.
Comment 4 Cedric Buissart 2021-07-20 08:29:43 UTC
Hello Martin,
Yes, I think limiting the range of pages accessible via iFrames might be a good thing. At first sight, the attacks are very limited, since cockpit uses Web Sockets rather than GET/POST, but it might still be doable to do things like temporarily disable SELinux, since that button is accessible from a single click.
Comment 5 Martin Pitt 2021-07-22 04:38:03 UTC
Cedric: We'll investigate this. However, this is already public in pretty much the widest possible way: It is documented upstream [1], as a corresponding upstream issue [2], and has existed for many years. Does it make sense to keep this embargoed? If not, can this become a normal public bug against cockpit in RHEL 8?
[1] https://cockpit-project.org/guide/latest/embedding.html
[2] https://github.com/cockpit-project/cockpit/issues/16122
Comment 6 Cedric Buissart 2021-07-22 08:58:59 UTC
In reply to comment #5:
> Cedric: We'll investigate this. However, this is already public in pretty
> much the widest possible way: It is documented upstream [1], as a
> corresponding upstream issue [2], and has existed for many years. Does it
> make sense to keep this embargoed?
No, indeed, it doesn't. I am making it public
> If not, can this become a normal public bug against cockpit in RHEL 8?
However, I think this warrants a CVE, as other Web applications have been treated similarly (recent examples : Jenkins & Kibana). This bug will be the generic flaw bug, describing the vulnerability, and I will open a tracker bug dedicated to RHEL-8 separately.
Comment 9 Cedric Buissart 2021-07-22 12:57:02 UTC
Created cockpit tracking bugs for this issue:
Affects: fedora-all [bug 1984907]
Comment 13 Sandro Bonazzola 2021-09-02 07:10:14 UTC
Is this affecting also RHEL 7?
Comment 14 Martin Pitt 2021-09-02 07:16:42 UTC
Yes, the embedding feature has been in cockpit since pretty much day one.
Comment 17 Martin Pitt 2021-09-13 13:30:12 UTC
@cbuissar@redhat.com I looked into this more deeply now in https://github.com/cockpit-project/cockpit/pull/16342 . I first created a test which ensures that same-origin frame embedding actually works outside of the cockpit web server [1]. That's the case which we care about, which we want to support (and I think there is no contention here). Before, we only tested frame embedding inside of a cockpit session [2], which is not a realistic use case.
As I mentioned above, I have a hard time to actually get a cross-origin cockpit frame to work. I tested this with Chromium 90.0.4430 and Firefox 92.0, with your reproducer and with our test setup, and due to the "SameSite: strict" cookie policy, cross-origin frames don't retain authentication and thus I keep getting the login page. I wrote another test case for this [4] which gets the same result (it also illustrates that and where it should really fail, with setting X-Frame-Options:).
I would really like to understand *if* and *how* you were able to do this (as you wrote a reproducer). Did you actually see the authenticated pages, or just the login page? If the former, what exact browser, OS, cockpit version did you use? Where did you run cockpit, same or different machine as your file:/// reproducer?
Thanks!
[1] https://github.com/cockpit-project/cockpit/pull/16342/commits/2a3b6854107ec7f1713a8da7eaeb7c666bf0ee0e
[2] https://github.com/cockpit-project/cockpit/blob/main/test/verify/check-embed
[3] https://github.com/cockpit-project/cockpit/commit/46f6839d1af4e662648a85f3e54bba2d57f39f0e
[4] https://github.com/cockpit-project/cockpit/pull/16342/commits/f49ad4874e1b936abfb60607df735698cb672ae4
Comment 18 Martin Pitt 2021-09-14 07:40:01 UTC
I now pushed the actual X-F-O bits/documentation/test to https://github.com/cockpit-project/cockpit/pull/16342 and added a release note/screenshot.
However, for evaluating the impact/backporting to stable releases etc., I'm still interested in whether this was really exploitable before, or you just saw the login page. Thanks!
Comment 23 Sandro Bonazzola 2021-09-17 14:28:02 UTC
(In reply to Martin Pitt from comment #14)
> Yes, the embedding feature has been in cockpit since pretty much day one.
Shouldn't we have a tracker for RHEL 7 here as well then?
Comment 25 Martin Pitt 2021-09-20 06:44:54 UTC
Cedric: Ah-aa! thanks for the screenshot. Your target system was RHEL 8.3, I only tried with 8.4, 8.5, and Fedora. 8.3 still had a non-strict cookie policy, which got tightened in bug 1891944 / https://github.com/cockpit-project/cockpit/commit/46f6839d1af4e6 . That's the bit which prevents sending the login cookie through cross-origin frames, and mitigates most of the actual fallout here.
I can reproduce this with file:// now, with Firefox against the current RHEL 8.3 cloud image:
qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=rhel-guest-image-8.3-401.x86_64.qcow2,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::2201-:22,hostfwd=tcp::9999-:9090
So indeed this only really affects Cockpit < 236, i.e. RHEL 8.3 and below. Of course setting XFO should still be done (and we'll land that).
Comment 26 Sandro Bonazzola 2021-09-23 07:00:47 UTC
(In reply to Martin Pitt from comment #25)
> So indeed this only really affects Cockpit < 236, i.e. RHEL 8.3 and below.
> Of course setting XFO should still be done (and we'll land that).
So it seems this also affects RHEL 7.9 right?
Comment 27 Martin Pitt 2021-09-23 09:35:48 UTC
Sandro, correct.
--------------------------------------------------------------------------------
Note You need to log in before you can comment on or make changes to this bug.
--------------------------------------------------------------------------------
*
*
*
*
*
*
* *
[?]
Type a sub-component name