CVE-2020-14729: Vulnerability in SuiteCommerce Advanced Sites

You can set X-Frame-Options (XFO) and Content-Security-Policy (CSP) HTTP headers to ensure SuiteCommerce Advanced (SCA) sites prior to 2020.1.4 cannot be framed by any other site or origin. These patch instructions describe how to add these HTTP security headers to help prevent any potential security risks.

Note:

XFO is being deprecated by most modern browsers in favor of CSP. But some browsers, such as versions of Internet Explorer that predate Edge, still do not support CSP. These patch instructions include both types of security headers to help minimize security risks on all browsers.

To learn more about these security headers and the options available with them, refer to the following resources:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

To implement this patch, choose from the following options and then refer to the instructions for that option.

Your site does not need to be framed by any other site/origin	Framing Not Required
Your site needs to be framed by another single site/origin	Framing by a Single Site/Origin
Your site needs to be framed by multiple sites/origins	Framing by Multiple Sites/Origins Note: X-Frame-Options (XFO) do not support multiple sites/origins, so these instructions include only the Content-Security-Policy (CSP) header.
Your site needs to be framed by any site/origin	Framing by any Site

SSP Files

These patch instructions require that you add headers to the SSP files in your local SCA directory. Where the SSP files are stored depends on the release of SCA that you have installed. To locate all required files, you can search your SCA directory using a placeholder. For example: *.ssp

Current SCA installations will include the following .ssp files, while older versions may not include all of these files:

• shopping.ssp

• checkout.ssp

• my_account.ssp

• challengeShopperForm.ssp

• deviceAuthenticationForm.ssp

• threedsecure.ssp

• external_payment.ssp

• download.ssp

• print-statement.ssp

• goToCart.ssp

• logOut.ssp

• redirections.ssp

• searchApi.ssp

• index-local.ssp (Each application includes an index-local.spp file.)

• shopping-local.ssp, checkout-local.ssp, ... (When you compile local SCA source by running gulp deploy, SCA generates these files in the DeployDistribution directory.)

Framing Not Required

If your site does not need to be framed by any other site, add the following lines to all SSP files in your local SCA directory. For example, shopping.ssp, checkout.spp, and so on. For more information about the files to update, see SSP Files.

1. At the very top of each .ssp file, copy and paste the following lines to set the headers. Make sure to add these lines inside a <% block as shown in the following code.

   Important:

   These lines allow your site to be framed only by itself, which is required to ensure that Site Management Tools (SMT) continue to function properly.

                   <%
   response.addHeader('X-Frame-Options', 'SAMEORIGIN');
   response.addHeader('Content-Security-Policy', 'frame-ancestors \'self\'');
   %> 
   
                 

2. After adding the headers, deploy the updated source files. See Deploy SCA Customizations to NetSuite for details.

Framing by a Single Site/Origin

If your site does need to be framed by another single site, add the following lines to all SSP files in your local SCA directory. For example, shopping.ssp, checkout.spp, and so on. For more information about the files to update, see SSP Files.

1. At the very top of each .ssp file, copy and paste the following lines to set the headers. Make sure to:

   • Add these lines inside a <% block as shown in the following code.

   • Change tempdomain.com in the URL on each of these lines to the domain for the single site that is allowed to frame your site. Note that the URL for the allowed site must include http:// or https://.

                   <%
   response.addHeader('X-Frame-Options', 'ALLOW-FROM http://tempdomain.com');
   response.addHeader('Content-Security-Policy', 'frame-ancestors http://tempdomain.com');
   %> 
   
                 

2. After adding the headers, deploy the updated source files. See Deploy SCA Customizations to NetSuite for details.

Framing by Multiple Sites/Origins

If your site needs to be framed by multiple sites, add the following line to all SSP files in your local SCA directory. For example, shopping.ssp, checkout.spp, and so on. For more information about the files to update, see SSP Files.

Note:

X-Frame-Options (XFO) do not support multiple sites/origins, so these instructions include only the Content-Security-Policy (CSP) header.

1. At the very top of each .ssp file, copy and paste the following line to set the header. Make sure to:

   • Add this line inside a <% block as shown in the following code.

   • Include your own site as shown in the following code to ensure that Site Management Tools (SMT) continue to function properly.

   • Change tempdomain.com in the URLs to the domains for the sites that are allowed to frame your site.

                   <%
   response.addHeader('Content-Security-Policy', 'frame-ancestors \'self\' http://tempdomain1.com http://tempdomain2.com');
   %> 
   
                 

2. After adding the header, deploy the updated source files. See Deploy SCA Customizations to NetSuite for details.

Framing by any Site

If you don’t want to restrict framing and want any site to be able to frame your site, you do not need to make any changes.

Important:

Allowing your site to be framed by any other site by omitting security headers makes your site vulnerable to clickjacking attacks.

Related Topics

SCA Patches

General Notices