nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <>
Subject Re: NiFI 1.4.0 UI can't be displayed in an IFrame?
Date Thu, 14 Dec 2017 02:59:56 GMT

This was intentionally introduced via NIFI-3907 [1] in Apache NiFi 1.3.0 as a mitigation for
CVE-2017-7667 [2]. Prior to this change, a malicious site could have displayed the NiFi UI
and introduced invisible overlays such that an unsuspecting user would perform actions like
entering sensitive credentials into a malicious form field. See here [3] and here [4] for
further information on Cross Frame Scripting / Clickjacking, as the attack is called.

If you have some kind of enterprise portal and have a legitimate need to display a NiFi UI
within a frame that is not hosted on the same origin, you can resort to modifying the value
provided to the response header in the filter here [5]. If you need this as an included feature
in NiFi (for example, a configurable URI in, I suggest raising a Jira ticket,
but I have to caution that it would be a low priority, as this actively weakens the security
of the system and is not a common use case.

[3] <>
[4] <>

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Dec 12, 2017, at 10:15 AM, tanezavm <> wrote:
> Hi,
> I tried to display NiFi 1.4.0 UI in an IFrame but it failed to load with
> error below:
> Refused to display '' in a frame because it
> set 'X-Frame-Options' to 'sameorigin'.
> Note: This setup works using NiFi 1.1.2.
> Kindly advise.
> Thanks,
> Virgil
> --
> Sent from:

View raw message