Closed Bug 595634 Opened 14 years ago Closed 14 years ago

Get Add-ons page does not display because of inappropriate server restrictions

Categories

(addons.mozilla.org Graveyard :: Discovery Pane, defect)

Product:
addons.mozilla.org Graveyard
Component:
Discovery Pane
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
5.11.10

People

(Reporter: wgianopoulos, Assigned: clouserw)

References

Details

(Keywords: regression, Whiteboard: [AOMTestday][in-litmus-bug-week])

Bug 584831 added the header "X-Frame-Options: DENY" to content returned form AMO. The issue here is that pages in the path "https://services.addons.mozilla.org/%LOCALE%/%APP%/discovery/" are intended to be displayed in a frame. Since the frameset is defined in "about:addons", even specifying SAMEORIGIN rather than DENY does not help here. The X-Frame_Options header should not be presented for pages returned from these directories.
Blocks: 593387
HINT: In order to implement this, it is probably easier to change the location of these pages to: https://services.addons.mozilla.org/discovery/%LOCALE%/%APP%/
blocking2.0: --- → ?
It's looking increasingly like the bug in Firefox here won't be fixed before b6, if we want to show off the new discovery pane then I suggest we look at removing the header from it for the time being. This can be flipped back at a later time once we're all fixed
Component: Code Quality → Discovery Pane
QA Contact: code-quality → discoverypane
James: Is there a way to do this in the middleware? Something like an @allow_framing decorator?
Target Milestone: --- → 5.11.10
After following the comments in the client side bug the last couple weeks, I'm starting to think it's not worth fixing in the client at all since this is the only page that it would help. I think everything on services.amo should be frameable.
(In reply to comment #4) > After following the comments in the client side bug the last couple weeks, I'm > starting to think it's not worth fixing in the client at all since this is the > only page that it would help. > > I think everything on services.amo should be frameable. With our current set of pages I think that would be fine but as we offer other options and interactions it could become a problem later. I suspect we'll promptly forget about it and not revisit it until someone else does first. (note that I've been paying little attention to the client bugs)
(In reply to comment #3) > James: Is there a way to do this in the middleware? Something like an > @allow_framing decorator? Not yet. Patches welcome! (Let me know if anyone else needs commit access to commonware. Or we can fork it to mozilla and let the webdev team have at it.)
(In reply to comment #4) > After following the comments in the client side bug the last couple weeks, I'm > starting to think it's not worth fixing in the client at all since this is the > only page that it would help. I think it is certainly worth fixing in the client, as we move more and more of our UI to tabs this will just come back to bite us, but I'm sure it will be a quicker fix for the time being to remove the header for the time being.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Bug to turn this back on is bug 596052. This should go live tomorrow.
blocking2.0: ? → final+
Verified fixed with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b7pre) Gecko/20100917 Firefox/4.0b7pre
Status: RESOLVED → VERIFIED
Flags: in-testsuite-
Flags: in-litmus-
Whiteboard: [AOMTestday][in-litmus-bug-week]
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.