Closed Bug 609960 Opened 15 years ago Closed 15 years ago

Use X-Frame-Options Header to Prevent Malicious Site Framing

Categories

(mozilla.org Graveyard :: Webdev, task)

Product:
mozilla.org Graveyard
Component:
Webdev
Platform:
All
Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcoates, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:crossdomain])

Issue The admin site is not using the x-frame-options header to prevent malicious framing of the site. Steps to Reproduce: 1. Login 2. Inspect the HTTP Response and observe x-frame-options is not included Recommended Remediation Add the x-frame-options header to all /admin responses. This value can likely be set to DENY since no sites will need to frame the admin page. https://developer.mozilla.org/en/the_x-frame-options_response_header
Note: this is just for the admin page. No need to do this for the actual snippet that is delivered to the client. (that would likely break things anyway)
Adding X-FRAME-OPTIONS to all URLs, except for snippet view responses https://github.com/lmorchard/home-snippets-server/commit/0b8c1380f8449b28f0a84e572de223664f9726a0
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.