X-Frame-Options

[bajlek]

Hi, is it possible to edit X-Frame-Options to set it up to "SAMEORIGIN" I need to use iframe. Thank you

[evilaliv3]

Thank you @bajlek

The option X-Frame-Options is a deprecated and we are using the most modern version of it that is the Content-Security Policy frame-ancestors currently set to 'none' because at the moment we have not considered enabling the app to included by an IFRAME because this could make possible for the external app to intercept GlobaLeaks.

Would you please clarify which is your use case and why you consider such a change would be important?

[bajlek]

Thank you for reply. I need to use this site inside of another, best would be to use just forms. Thank you for your time, I know that this is not recomended.

[BeckeBauer]

same here, we need the reporting system only for our company and would like to have it as part of the intranet. It also avoids to "custom css" it including setup of all the links required by law, e.g. link to imprint, link to data protection information etc. which would need to be updated separately in case something is changed on the "main intranet"

[SirLitschi]

It would also be important for our company to be able to use the site in iframes.

[evilaliv3]

Thank you everyone for your feedback.

GlobaLeaks is a critical application and we care of the security of users, for this reason we could not open to configuration possibilities that are unsafe.

To achieve whatyou all need, probably as expert users you could set up a reverse proxy and achieve same result. That of course poses your system in the same unsafe sitatuon because owners of the external site and their administrators will be in possibility to intercept whistleblowers.

[BeckeBauer]

I understand that there are security concerns but I had hoped that you could let the user decide whether or not they want to implement your very high security standards (in particular since you propose a similar unsafe workaround at the same time)

Not all companies are untrustworthy and would exploit a possibile to intercept whistleblowsers (the majority of companies most probably even do not know how)

By the way, under EU jurisdiction, companies - although having the obligation to provide reporting channels for whistleblowers - are not required to provide for anonymous reporting

So, in case you change your mind it would be much appreciated...

[SirLitschi]

I fully agree with BeckeBauer. It would be perfect if the admin himself could decide whether to allow the integration in iframes or not. We are really hoping for a solution here. Thanks for the good work.

[evilaliv3]

Thank you @SirLitschi it is actually not a matter of trustworty or not trustworty, it is a matter of implementing proper security (confidentiality as required by the european directive) or not. By enabling iframes on a general site you enable enable unrestricted and uncontrolled access to information by the administrators and content managers of the container site. This is not just a violation of common good sense but its actually in violation of the Directive, GDPR, ISO27001 and any guideline on privacy.

[BeckeBauer]

Sorry that I have to disagree: using iframes is neither illegal nor an violation of an EU directive / data protection law. I think you are mixing the utilisation of technical means and exploiting such means to gain personal data about a wisthleblower.

I fully support that technologies like iframes should not be used to expose a whistleblower who wants to remain anonymous. But arguing that enabling iframes is a violation of law is simply not true...

[evilaliv3]

@BeckeBauer : i'm not talking about "anonymity" i'm talking about confidentiality (encryption)

Current system targets at having an end-to-end like encryption model where the data is encrypted from the whistleblower to the recipient.

Under the whistleblowing directive the only people enabled to access reports are the ones in charge of handling the reports. Lets call this users group A and suppose they are the users of the whistleblowing site A.
If you enable site A to be included in site B, you are enabling group B (not in charge of reading reports) to read reports withouth anyone noticing it. This is definitely in violation of the directive and of the 27001.

[BeckeBauer]

But this is what we are talking about the whole time: Our use case is to include the whistleblowing site A into the intranet of organisation A by way of iframe. There is no site B or group B.

Why would the serious organisation (A) implement a whistleblowing site from a dubious entity (B) by way of iframes???

[evilaliv3]

Thank you @BeckeBauer

I'm not saying that site A and site B belong do different organizations.
I'm saying that if you include Site A inside Site B, Site B administrators (not appointed as part of the Whistleblowing Office) will have very high ability to subvert the system vanishing any DPIA defined for the whistleblowing system.
In addition enabling to include the Site A (the GlobaLeaks platform very well peer reviewed and audited for whistleblowing purposes inside Site B (a whatever site) lowers many aspects of security to the security of Site B.

May i ask you why do you really need the inclusion inside an iframe for your aim? I mean you could anyhow limit access to the platform from your local network even without using iframes. No?

In addition if i may comment expose a whistleblowing system within an intranet only is very against the best practice as it is demonstrated that whistleblowers do not feel confortable blowing the whistle from the office as it is generally unsafe.
I'm saying that globaleaks is studied with maximum security in mind and:

[BeckeBauer]

I cannot follow anymore. I think only very big companies have several administrators for their intranet and want to split access rights to different parts of the intranet among them (which seems very unpractical if one of the administrators is sick / on holidays).

We have only one administrator (me) who wants to include the whistleblower platform into our intranet (by way of iframing). As mentioned above, the advantage to have the whistleblower platform appear within an intranet site is to have all the legally required links in place (in particular to the data protection information) and to need only minimal css efforts to make it ci conform.

But I think I cannot convince you to allow iframing since there will always be the argument of some bad person / administrator abusing such functionality once activated...