Closed
Bug 807088
Opened 13 years ago
Closed 13 years ago
Allow x-frame of ToS and PP for Persona dialog
Categories
(Marketplace Graveyard :: Consumer Pages, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
2013-01-10
People
(Reporter: smcarthur, Assigned: cvan)
References
Details
We need to show the ToS and PP in an iframe in the dialog. While testing, we're using *.personatest.org, and when live, it will be *.persona.org. * because the subdomains aren't certain yet.
|
||
Comment 1•13 years ago
|
||
FYI, the marketplace URLs that need the header adjustments can be seen here https://github.com/mozilla/zamboni/blob/master/media/js/mkt/login.js#L5
|
||
Comment 2•13 years ago
|
||
Should just be a matter of putting this in the view:
> response = jingo.render(request, 'sometemplate.html', {})
> response['x-frame-options'] = 'allow'
> return response
There might be a decorator for it too.
Assignee: nobody → ashort
Priority: -- → P1
Target Milestone: --- → 2012-11-08
|
|
||
Comment 3•13 years ago
|
||
(In reply to Wil Clouser [:clouserw] from comment #2)
> > response = jingo.render(request, 'sometemplate.html', {})
> > response['x-frame-options'] = 'allow'
Be careful with this. We should only allow the persona domain(s), not all domains. The header to use is allow-from http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00#section-2.4.1
However, it looks like we may not be able to specify multiple domains: http://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains
We could add a setting to flip it between persona.org and personatest.org because I don't think we'd need both at the same time. The test one is useful on mkt dev in the rare case that we need to test out an unreleased persona feature.
|
Reporter | |
Comment 4•13 years ago
|
||
To make it more fun, personatest.org is only used for breakout features, like this b2g dialog. Once it's merged back in, typical dev domain is dev.anosrep.org.
|
|
||
Updated•13 years ago
|
Priority: P1 → P2
|
|
||
Comment 5•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 6•13 years ago
|
||
We're currently testing the B2G dialog and marketplace from notoriousb2g.personatest.org, and it sounds like the eventual domain will be fxos.login.persona.org.
|
|
||
Comment 7•13 years ago
|
||
Per comment #6 we need to allow it for multiple domains. It's just PP and TOS so we might as well allow-all.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•13 years ago
|
Assignee: ashort → cvan
Target Milestone: 2012-11-08 → 2013-01-10
|
|
||
Comment 9•13 years ago
|
||
For completeness, you should get a Referer: header which would give you a domain that you could dynamically allow (if it's on a whitelist) with the x-frame-options: header.
|
Assignee | |
Comment 10•13 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•