|
No. None of the internal users do anything with credit cards and are on
servers that are not in scope. The iSeries is in scope and that is where
the x-frame option has to be turned on.
________________________________________
From: WEB400 [web400-bounces@xxxxxxxxxxxx] on behalf of Henrik Rützou [
hr@xxxxxxxxxxxx]
Sent: Wednesday, March 16, 2016 8:30 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] alternative to <iframe>
Does your 'internal' users that requires sharepoint etc. use the payment
application?
On Thu, Mar 17, 2016 at 1:19 AM, Mike Cunningham <mike.cunningham@xxxxxxx>
wrote:
I see your point. It is not specifically written in the PCI-DSS documentis
that a web server has to be configured with the x-frame option but there
a requirement to have an external scan done every quarter. If if thatnot
external scanner issues a failing status because the x-frame option is
found and our acquirer can cut us off for having a failing status it isare
functionally a standard to keep taking credit cards. And they could both
argue that this would fall under Requirement 2.2.3 "Implement additional
security features for any required services, protocols, or daemons that
considered to be insecure"that
________________________________________
From: WEB400 [web400-bounces@xxxxxxxxxxxx] on behalf of Nathan Andelin [
nandelin@xxxxxxxxx]
Sent: Wednesday, March 16, 2016 7:49 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] alternative to <iframe>
Nathan here - not Rob. Since the web pages originate on external Windows
servers, forget what I said about GETURI and HTTPAPI. I now understand
external web pages have embedded iframes pointing to your IBM i Apache/
server.
By "PCI scam", I'm referring to "vendors" who make up their own standards
and pass them off as PCI.
If I understand correctly, your "scans" are failing because you're not
using Apache x-frames. Your vendor is suggesting that your web sites are
therefore vulnerable to clickJacking.
Your vendor appears to be "scamming" you in the sense that neither
x-frames, nor iframes, nor clickJacking is covered by PCI standards.
If you are concerned about malicious external sites referencing your site
in their iframes, the best way to handle that is via user authentication
authorization. I believe you could also white-list certain "origins" inmike.cunningham@xxxxxxx>
your applications.
The problem with your vendor's assertions, is that they appear to
indiscriminately be forbidding the use of iframes in external sites.
On Wed, Mar 16, 2016 at 1:51 PM, Mike Cunningham <
wrote:processors
Rob, not a scam. We use scanning service that our credit card
requirementhad us use and that is who is failing us on the external scan
http://portal.cavallocomm.com/knowledgebase/34/Implementation-of-PCI-Compliant-Headers.htmlof PCI. Others are reporting the same failure.
onlyhave
The div options sounds like our best option to try with the possible
exception of Sharepoint where we use either the provided web parts or
to write custom web parts which I don't really want to get into. The
useprovided tool to do what we are doing uses iFrames.other
I would love to see a code example
-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Rob
Sent: Wednesday, March 16, 2016 12:52 PM
To: Web Enabling the IBM i (AS/400 and iSeries) <web400@xxxxxxxxxxxx>
Subject: Re: [WEB400] alternative to <iframe>
I agree with Nathan.
Simply get the contents of the page and display in a DIV or any
suitable control of your choosing.
I do it every day with out a problem. Well, sometimes I have to
codeCURL for those sites that attempt to prevent crawling. If you need
toknow.
make your server request to look like it is a browser, just let me
inPCI.
Happy Coding,
Rob
On 03/16/2016 09:58 AM, Nathan Andelin wrote:
Mike,
Last I checked, "frame-busting hacks" like x-frames were not part of
You probably have good grounds for ignoring your latest "PCI scan",
yourthat regard.
iframes provide useful functionality. clickJacking is a problem with
malicious sites. Does anyone have cause to view your web applications
as being malicious?
However, if you really do want to provide content from multiple sites
without using iframes, the idea of using GETURI (or HTTPAPI) to
retrieve "content" from "foreign" sites and passing it through to
mailingusers seems like the best alternative. It will require some redesign
and rework of any applications that currently use iframes.
--
Your Out-Source IT Department,
Rob Couch
IT Serenity
214 682 7638
Skype: itserenity
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailinglist To post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
list--
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.
--
Regards,
Henrik Rützou
http://powerEXT.com <http://powerext.com/>
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.