Cloud Services
Web Site
4 years ago
3 years ago


(Reporter: rillian, Unassigned)


Firefox Tracking Flags

(Not tracked)



We wanted to add the location services map and stats pages to our corsica-based[1] information radiator thing in the Vancouver office. Unfortunately the site sets 'X-Frame-Options: DENY' and corsica uses an iframe-based carousel.

I understand that wants us to enable that everwhere, but I don't see anything sensitive on those pages which needs protection. It seems read-only except for maybe map navigation and the search box in the mozilla banner.

Can we turn this off, or add an exception for


Comment 1

4 years ago
Stefan, as the one having done the security review on this project, what do you think?

I tend to prefer global security options, which are the same for all the pages. Implementing a whitelist to allow iframe inclusion for some pages is reasonably easy. So this isn't blocked on implementation complexity.
Flags: needinfo?(sarentz)
XFO is mostly to prevent clickjacking. And clickjacking only makes sense if there actually is something to get from the user.

So if the site is read-only then you can probably disable it. Although an exception for a special 'presentation' page would be nicer IMO :-)
Flags: needinfo?(sarentz)

Comment 3

3 years ago
This never became a priority and nobody else asked us for allowing embedding. Closing this as "not important enough to get done".
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.