myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Udo Schnurpfeil (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Created] (TOBAGO-1822) Modernize frame attack handling
Date Thu, 09 Nov 2017 12:44:00 GMT
Udo Schnurpfeil created TOBAGO-1822:
---------------------------------------

             Summary: Modernize frame attack handling
                 Key: TOBAGO-1822
                 URL: https://issues.apache.org/jira/browse/TOBAGO-1822
             Project: MyFaces Tobago
          Issue Type: Improvement
          Components: Themes
            Reporter: Udo Schnurpfeil
            Assignee: Udo Schnurpfeil


Currently the Tobago configuration attribute "preventFrameAttacks" is implemented with CSS
and JavaScript. These days all supported browsers supports the HTTP header "X-Frame-Options".
So, this header should be set.

Nevertheless this header is deprecated by the CSP Level 2 directive "frame-ancestors" which
has good support, but IE11.

So we should 
# use the HTTP header "X-Frame-Options", if preventFrameAttacks is set and
# the developer might set the CSP Level 2 directive "frame-ancestors"

The default in Tobago should be: don't allow (with both techniques).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message