It is possible to load the web application in HTML FRAMES from third-party web sites, which makes Horizon vulnerable to various client-side attacks such as Clickjacking [1].
The following code on another webserver will load the page from Horizon:
<html>
<title>XFS test</title>
<body>
<iframe src="https://horizonwebserver/nova/" width="100%" height="100%"></iframe>
</body>
</html>
An attacker would need to load the web application in an HTML frame located on a third-party website. By applying an opaque overlay containing other content over the target web application and coercing the user to interact with the overlay, user mouse events and key presses can be directed through to the target web application.
A successful attack could allow a malicious user to post fraudulent transactions.
Horizon should ensure that all pages include a JavaScript Frame Killer to ensure that the page is only loaded within frames from authorised third-party domains or hosts. An example of such a Frame Killer is included below.
<style> htmls{display : none}; </style>
<script> if (self == top) { document.documentElement.style.display = ?block?; } else { top.location = self.location; } </script>
Other options rely on adding the X-Frame-Options in the header. This could be done in the web server's configuration [2], or in Django itself [3].
[1] https://www.owasp.org/index.php/Clickjacking
[2] https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header
[3] https://docs.djangoproject.com/en/dev/ref/clickjacking/
Adding PTL
I guess that combined will long-lived cookies, that could be abused in a rather convoluted attack. Not totally convinced we need an advisory for this. Thoughts ?