Closed
Bug 584831
Opened 14 years ago
Closed 14 years ago
Add x-frame-options to commonware
Categories
(addons.mozilla.org Graveyard :: Code Quality, defect)
addons.mozilla.org Graveyard
Code Quality
Tracking
(Not tracked)
VERIFIED
FIXED
5.11.9
People
(Reporter: clouserw, Unassigned)
References
Details
From the "ClickJacking & X-Frame-Options" thread on webappsec, we should add this header to commonware, which will fix up AMO and SUMO. From the email: Add the additional header of x-frame-options that is set to "DENY" or "SAMEORIGIN". - Deny prevents any site from framing the page - Sameorigin allows only sites from the same domain to frame the page Unless we have a specific use case that needs framing we will default to "x-frame-options: DENY"
Comment 1•14 years ago
|
||
http://github.com/jsocol/commonware/commit/3ca2020a43413 Commonware is patched. Add commonware.middleware.FrameOptionsHeader to MIDDLEWARE_CLASSES and you're good to go.
Assignee: james → nobody
Reporter | ||
Comment 2•14 years ago
|
||
thanks, http://github.com/jbalogh/zamboni/commit/df1d19304a385c52c8fcc888f6ffc240634eb0c5
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 3•14 years ago
|
||
So this should be on all GET requests for HTML assets? https://preview.addons.mozilla.org/en-US/firefox/extensions/alerts-updates/ GET /en-US/firefox/extensions/alerts-updates/ HTTP/1.1 Host: preview.addons.mozilla.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://preview.addons.mozilla.org/en-US/firefox/ <snip> HTTP/1.1 200 OK Server: Apache X-Backend-Server: pm-app-amo24 Vary: Accept-Encoding Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Date: Tue, 31 Aug 2010 18:01:54 GMT Keep-Alive: timeout=5, max=994 Transfer-Encoding: chunked Via: Moz-Cache-zlb03 Connection: Keep-Alive X-Frame-Options: DENY
Reporter | ||
Comment 4•14 years ago
|
||
(In reply to comment #3) > So this should be on all GET requests for HTML assets? Only things coming from django, so, yes on pages like the above, no on images, css, etc.
Comment 5•14 years ago
|
||
Verified FIXED for AMO -- I created, edited, deleted, tagged, etc., then pasted the Live HTTP Headers output into a text editor and looked for X-Frame-Options: DENY; looks like SUMO will be adding it separately (though it was added to the middleware).
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•