Closed
Bug 584831
Opened 14 years ago
Closed 14 years ago
Add x-frame-options to commonware
Categories
(addons.mozilla.org Graveyard :: Code Quality, defect)
addons.mozilla.org Graveyard
Code Quality
Tracking
(Not tracked)
VERIFIED
FIXED
5.11.9
People
(Reporter: clouserw, Unassigned)
References
Details
From the "ClickJacking & X-Frame-Options" thread on webappsec, we should add this header to commonware, which will fix up AMO and SUMO. From the email: Add the additional header of x-frame-options that is set to "DENY" or "SAMEORIGIN". - Deny prevents any site from framing the page - Sameorigin allows only sites from the same domain to frame the page Unless we have a specific use case that needs framing we will default to "x-frame-options: DENY"
|
||
Comment 1•14 years ago
|
||
http://github.com/jsocol/commonware/commit/3ca2020a43413 Commonware is patched. Add commonware.middleware.FrameOptionsHeader to MIDDLEWARE_CLASSES and you're good to go.
Assignee: james → nobody
|
Reporter | |
Comment 2•14 years ago
|
||
thanks, http://github.com/jbalogh/zamboni/commit/df1d19304a385c52c8fcc888f6ffc240634eb0c5
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 3•14 years ago
|
||
So this should be on all GET requests for HTML assets? https://preview.addons.mozilla.org/en-US/firefox/extensions/alerts-updates/ GET /en-US/firefox/extensions/alerts-updates/ HTTP/1.1 Host: preview.addons.mozilla.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: https://preview.addons.mozilla.org/en-US/firefox/ <snip> HTTP/1.1 200 OK Server: Apache X-Backend-Server: pm-app-amo24 Vary: Accept-Encoding Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Date: Tue, 31 Aug 2010 18:01:54 GMT Keep-Alive: timeout=5, max=994 Transfer-Encoding: chunked Via: Moz-Cache-zlb03 Connection: Keep-Alive X-Frame-Options: DENY
|
|
Reporter | |
Comment 4•14 years ago
|
||
(In reply to comment #3) > So this should be on all GET requests for HTML assets? Only things coming from django, so, yes on pages like the above, no on images, css, etc.
|
|
||
Comment 5•14 years ago
|
||
Verified FIXED for AMO -- I created, edited, deleted, tagged, etc., then pasted the Live HTTP Headers output into a text editor and looked for X-Frame-Options: DENY; looks like SUMO will be adding it separately (though it was added to the middleware).
Status: RESOLVED → VERIFIED
|
Assignee | |
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•