myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Udo Schnurpfeil (JIRA)" <>
Subject [jira] [Created] (TOBAGO-1822) Modernize frame attack handling
Date Thu, 09 Nov 2017 12:44:00 GMT
Udo Schnurpfeil created TOBAGO-1822:

             Summary: Modernize frame attack handling
                 Key: TOBAGO-1822
             Project: MyFaces Tobago
          Issue Type: Improvement
          Components: Themes
            Reporter: Udo Schnurpfeil
            Assignee: Udo Schnurpfeil

Currently the Tobago configuration attribute "preventFrameAttacks" is implemented with CSS
and JavaScript. These days all supported browsers supports the HTTP header "X-Frame-Options".
So, this header should be set.

Nevertheless this header is deprecated by the CSP Level 2 directive "frame-ancestors" which
has good support, but IE11.

So we should 
# use the HTTP header "X-Frame-Options", if preventFrameAttacks is set and
# the developer might set the CSP Level 2 directive "frame-ancestors"

The default in Tobago should be: don't allow (with both techniques).

This message was sent by Atlassian JIRA

View raw message