RESOLVED WONTFIX

Status

Cloud Services
Web Site
RESOLVED WONTFIX
4 years ago
3 years ago

People

(Reporter: rillian, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

We wanted to add the location services map and stats pages to our corsica-based[1] information radiator thing in the Vancouver office. Unfortunately the site sets 'X-Frame-Options: DENY' and corsica uses an iframe-based carousel.

I understand that https://stooge.mozillalabs.com/ wants us to enable that everwhere, but I don't see anything sensitive on those pages which needs protection. It seems read-only except for maybe map navigation and the search box in the mozilla banner.

Can we turn this off, or add an exception for yvr-corsica.paas.allizom.org?

[1] https://github.com/mozilla/corsica

Comment 1

4 years ago
Stefan, as the one having done the security review on this project, what do you think?

I tend to prefer global security options, which are the same for all the pages. Implementing a whitelist to allow iframe inclusion for some pages is reasonably easy. So this isn't blocked on implementation complexity.
Flags: needinfo?(sarentz)
XFO is mostly to prevent clickjacking. And clickjacking only makes sense if there actually is something to get from the user.

So if the site is read-only then you can probably disable it. Although an exception for a special 'presentation' page would be nicer IMO :-)
Flags: needinfo?(sarentz)

Comment 3

3 years ago
This never became a priority and nobody else asked us for allowing embedding. Closing this as "not important enough to get done".
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.