Libravatar (obsolete)

Add X-Frame-Options header to HTML responses

Bug #863904 reported by François Marier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Fix Released
Low
François Marier

Bug Description

To prevent ClickJacking, we should set the X-Frame-Options to Deny for everything that returns HTML:

  https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_Malicious_Site_Framing_.28ClickJacking.29
  https://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

We'll need to make sure we don't set it on the dynamic resizer / resolver though.

See original description
Tags: security
Revision history for this message
François Marier (fmarier) wrote :

It's now enabled on /account and /openid

description: updated
Changed in libravatar:
status: Confirmed → Fix Committed
François Marier (fmarier)
Changed in libravatar:
status: Fix Committed → Fix Released
Revision history for this message
François Marier (fmarier) wrote :

Actually, this should be enabled throughout the www site (but probably not necessary on mirrors).

There's no reason to allow people to frame www.libravatar.org as far as I can see.

Changed in libravatar:
status: Fix Released → Confirmed
François Marier (fmarier)
Changed in libravatar:
status: Confirmed → Fix Committed
François Marier (fmarier)
Changed in libravatar:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.