Re: alternative to <iframe> -- WEB400

Is there anyway to see the application - is it on your homepage ?

On Thu, Mar 17, 2016 at 2:09 AM, Mike Cunningham <mike.cunningham@xxxxxxx>
wrote:

nothing interactive. The data is different depending who is logged on but
it is sent once and there is nothing interactive once displayed.
________________________________________
From: WEB400 [web400-bounces@xxxxxxxxxxxx] on behalf of Henrik Rützou [
hr@xxxxxxxxxxxx]
Sent: Wednesday, March 16, 2016 8:58 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] alternative to <iframe>

What I mean - is it just showing some data or is it interactive?

On Thu, Mar 17, 2016 at 1:42 AM, Mike Cunningham <mike.cunningham@xxxxxxx>
wrote:

It is simple to do and deny the external users from using iframe to

render

iSeries data but that's the problem. It breaks some of the functions we
have implement on those external servers because they can no longer show
the data we want to show
________________________________________
From: WEB400 [web400-bounces@xxxxxxxxxxxx] on behalf of Henrik Rützou [
hr@xxxxxxxxxxxx]
Sent: Wednesday, March 16, 2016 8:38 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] alternative to <iframe>

Well if the iSeries is the main page - it should be quite simple to

exclude

the iframe options from
the external users

On Thu, Mar 17, 2016 at 1:35 AM, Mike Cunningham <

mike.cunningham@xxxxxxx>

wrote:

No. None of the internal users do anything with credit cards and are on
servers that are not in scope. The iSeries is in scope and that is

where

the x-frame option has to be turned on.
________________________________________
From: WEB400 [web400-bounces@xxxxxxxxxxxx] on behalf of Henrik Rützou

[

hr@xxxxxxxxxxxx]
Sent: Wednesday, March 16, 2016 8:30 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] alternative to <iframe>

Does your 'internal' users that requires sharepoint etc. use the

payment

application?

On Thu, Mar 17, 2016 at 1:19 AM, Mike Cunningham <

mike.cunningham@xxxxxxx>

wrote:

I see your point. It is not specifically written in the PCI-DSS

document

that a web server has to be configured with the x-frame option but

there

is

a requirement to have an external scan done every quarter. If if that
external scanner issues a failing status because the x-frame option

is

not

found and our acquirer can cut us off for having a failing status it

is

functionally a standard to keep taking credit cards. And they could

both

argue that this would fall under Requirement 2.2.3 "Implement

additional

security features for any required services, protocols, or daemons

that

are

considered to be insecure"

________________________________________
From: WEB400 [web400-bounces@xxxxxxxxxxxx] on behalf of Nathan

Andelin [

nandelin@xxxxxxxxx]
Sent: Wednesday, March 16, 2016 7:49 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] alternative to <iframe>

Nathan here - not Rob. Since the web pages originate on external

Windows

servers, forget what I said about GETURI and HTTPAPI. I now

understand

that

external web pages have embedded iframes pointing to your IBM i

Apache

server.

By "PCI scam", I'm referring to "vendors" who make up their own

standards

and pass them off as PCI.

If I understand correctly, your "scans" are failing because you're

not

using Apache x-frames. Your vendor is suggesting that your web sites

are

therefore vulnerable to clickJacking.

Your vendor appears to be "scamming" you in the sense that neither
x-frames, nor iframes, nor clickJacking is covered by PCI standards.

If you are concerned about malicious external sites referencing your

site

in their iframes, the best way to handle that is via user

authentication

/

authorization. I believe you could also white-list certain "origins"

in

your applications.

The problem with your vendor's assertions, is that they appear to
indiscriminately be forbidding the use of iframes in external sites.

On Wed, Mar 16, 2016 at 1:51 PM, Mike Cunningham <

mike.cunningham@xxxxxxx>

wrote:

Rob, not a scam. We use scanning service that our credit card

processors

had us use and that is who is failing us on the external scan

requirement

of PCI. Others are reporting the same failure.

http://portal.cavallocomm.com/knowledgebase/34/Implementation-of-PCI-Compliant-Headers.html

The div options sounds like our best option to try with the

possible

exception of Sharepoint where we use either the provided web parts

or

have

to write custom web parts which I don't really want to get into.

The

only

provided tool to do what we are doing uses iFrames.

I would love to see a code example

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Rob
Sent: Wednesday, March 16, 2016 12:52 PM
To: Web Enabling the IBM i (AS/400 and iSeries) <

web400@xxxxxxxxxxxx

Subject: Re: [WEB400] alternative to <iframe>

I agree with Nathan.

Simply get the contents of the page and display in a DIV or

any

other

suitable control of your choosing.

I do it every day with out a problem. Well, sometimes I have

to

use

CURL for those sites that attempt to prevent crawling. If you need

code

to

make your server request to look like it is a browser, just let me

know.

Happy Coding,
Rob

On 03/16/2016 09:58 AM, Nathan Andelin wrote:

Mike,

Last I checked, "frame-busting hacks" like x-frames were not part

of

PCI.

You probably have good grounds for ignoring your latest "PCI

scan",

in

that regard.

iframes provide useful functionality. clickJacking is a problem

with

malicious sites. Does anyone have cause to view your web

applications

as being malicious?

However, if you really do want to provide content from multiple

sites

without using iframes, the idea of using GETURI (or HTTPAPI) to
retrieve "content" from "foreign" sites and passing it through to

your

users seems like the best alternative. It will require some

redesign

and rework of any applications that currently use iframes.

--
Your Out-Source IT Department,
Rob Couch
IT Serenity
214 682 7638
Skype: itserenity

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list To post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
Regards,
Henrik Rützou

http://powerEXT.com <http://powerext.com/>
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
Regards,
Henrik Rützou

http://powerEXT.com <http://powerext.com/>
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
Regards,
Henrik Rützou

http://powerEXT.com <http://powerext.com/>
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.