Control Frameable Response in HTTP headers

Abstract

Product: Workbench

Control Frameable Response in HTTP headers

• BrassRing Responsive Talent Gateways can be embedded into frames of websites outside of Infinite. Clients can do this to host the content in the frame and then pull the Talent Gateway in for the candidate search/application process.

• This results in a potential vulnerability where the Talent Gateway may be embedded in a malicious website and thereby candidate actions like mouse clicks within such website can be misdirected.

• To overcome this vulnerability and ensure security, Responsive Talent Gateways can be configured to be embedded in another website.

• All existing Responsive Talent Gateways are configured to Always Allow by default.

• This feature is not available for Classic Talent Gateways and Basic Talent Gateways. All members of a Global Talent Gateway, are configured with the same setting option.

• While providing URLs for white listing, ensure that the domains are fully qualified domains including host or sub-domain, for example; www or careers, and the regular domain, for example; mycompanyx.com, which, when combined, become, careers.mycompanyx.com. This format must be used for the parent site which frames the Responsive Talent Gateway.

The HTTP Response Header details are of two types:

• X-frame-options: This is an old HTML header controlling frame-able response. This header type response is used by older browsers. Modern browsers ignore this response. This type of header supports only a single domain for white-listing when the third option is selected.

• Content-security-policy: This type is the new HTML header controlling frame-able response. This is respected by modern browsers. Old browser versions might or might not respect this response. Content-security-policy supports multiple domains for white listing.

• A best practice while using the allowlist option is to use only a single domain for embedding each Responsive Talent Gateway and provide the same for the allowlist. In this way, a single domain will work for both x-frame-options and content-security-policy and therefore, both new and old browsers are covered.

Process:

Enable the Talent Gateway to be embedded in another website.

1. Select Tools → Talent Gateways.

2. Select the Edit Responsive Layout icon.

3. Expand the General Section.

4. For Embed TG in other sites select:

   • Always Allow, to allow embedding on any other site.

   • Never Allow, to block the Talent Gateway from being embedded on other sites.

     • Each browser displays the blocked message differently. This is not controlled by Infinite.

   • Allow only these URLs, to limit the embedding of the Talent Gateway to allowlisted URLs.

     1. Insert the URLs that can embed the Talent Gateway, separating each URL with a comma.

     2. While using the Allow only these URLs, the text box validates the format of the URLs entered. An error message is displayed if invalid URL is entered.

5. Select Save.

   • If you have accessed the Talent Gateway Responsive Layout page in the past, select Ctrl+F5 to refresh the window and clear the cache in order to successfully save the page.