We wanted to add the location services map and stats pages to our corsica-based information radiator thing in the Vancouver office. Unfortunately the site sets 'X-Frame-Options: DENY' and corsica uses an iframe-based carousel. I understand that https://stooge.mozillalabs.com/ wants us to enable that everwhere, but I don't see anything sensitive on those pages which needs protection. It seems read-only except for maybe map navigation and the search box in the mozilla banner. Can we turn this off, or add an exception for yvr-corsica.paas.allizom.org?  https://github.com/mozilla/corsica
Stefan, as the one having done the security review on this project, what do you think? I tend to prefer global security options, which are the same for all the pages. Implementing a whitelist to allow iframe inclusion for some pages is reasonably easy. So this isn't blocked on implementation complexity.
XFO is mostly to prevent clickjacking. And clickjacking only makes sense if there actually is something to get from the user. So if the site is read-only then you can probably disable it. Although an exception for a special 'presentation' page would be nicer IMO :-)
This never became a priority and nobody else asked us for allowing embedding. Closing this as "not important enough to get done".
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.