Sonarqube 4.2 Variants of X-Frame and Cross-Site Scripting Roughs

I had the same issue trying to get responses from the SonarQube instance to display when placed in an iframe consumed by the backplane app.

While 'X-Frames-Option'

not definitely configurable in SonarQube, these two steps will allow you to display the response from the SonarQube server in an iframe:

• Modify the environment.rb
  
  script in the directory <SonarQube-Home>\web\WEB-INF\config
  
  by commenting out the title assignment 'X-Frames-Option'
  
  (or changing the value to 'ALLOW-FROM'
  
  with the appropriate url exception):

  # Clickjacking protection
  # See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE
  # headers['X-Frame-Options']='SAMEORIGIN'
  
        
  
          
          
          
        
  
      

• Either comment out the existing filter configuration in the file <SonarQube-Home>\web\WEB-INF\web.xml
  
  (not recommended), or write your own implementation Filter
  
  and replace the existing configuration:

  <filter> <filter-name>SecurityFilter</filter-name> <filter-class>org.sonar.server.platform.SecurityServletFilter</filter-class> </filter>
  
  

  with my (example):

  <filter> <filter-name>SecurityFilter</filter-name> <filter-class>com.foo.MySecurityServletFilter</filter-class> <init-param> <param-name>X-Content-Type-Options</param-name> <param-value>nosniff</param-value> </init-param> <init-param> <param-name>X-XSS-Protection</param-name> <param-value>1; mode=block</param-value> </init-param> <init-param> <param-name>X-Frame-Options</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>allow-from-uri</param-name> <param-value>http://internal.foo.com</param-value> </init-param> </filter>
  
  The initialization parameters must of course be supported by your custom implementation Filter
  
  .

• I created a simple jar containing my filter and copied it to the directory <SonarQube-Home>\lib\server
  
  .