myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Commented] (TOBAGO-1822) Modernize frame attack handling
Date Fri, 10 Nov 2017 14:47:00 GMT

    [ https://issues.apache.org/jira/browse/TOBAGO-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247593#comment-16247593
] 

Hudson commented on TOBAGO-1822:
--------------------------------

SUCCESS: Integrated in Jenkins build Tobago Trunk #1122 (See [https://builds.apache.org/job/Tobago%20Trunk/1122/])
TOBAGO-1822: Modernize frame attack handling * step 2: base config for (lofwyr: rev ade9c1458d78132325af6e014a52011331b22853)
* (edit) tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
* (edit) tobago-core/src/main/resources/META-INF/tobago-config.xml


> Modernize frame attack handling
> -------------------------------
>
>                 Key: TOBAGO-1822
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-1822
>             Project: MyFaces Tobago
>          Issue Type: Improvement
>          Components: Themes
>            Reporter: Udo Schnurpfeil
>            Assignee: Udo Schnurpfeil
>             Fix For: 4.0.0
>
>
> Currently the Tobago configuration attribute "preventFrameAttacks" is implemented with
CSS and JavaScript. These days all supported browsers supports the HTTP header "X-Frame-Options".
So, this header should be set.
> Nevertheless this header is deprecated by the CSP Level 2 directive "frame-ancestors"
which has good support, but IE11.
> So we should 
> # use the HTTP header "X-Frame-Options", if preventFrameAttacks is set and
> # the developer might set the CSP Level 2 directive "frame-ancestors"
> The default in Tobago should be: don't allow (with both techniques).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message