New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add x-frame headers #3739

Merged
merged 1 commit into from Nov 20, 2012

Conversation

Projects
None yet
4 participants
@davecocoa
Contributor

davecocoa commented Nov 18, 2012

as described in issue #3534, without x-frame headers we are vulnerable to click-jacking. I used v 1.2 because sinatra already uses that version.

@DeadSuperHero

This comment has been minimized.

Member

DeadSuperHero commented Nov 19, 2012

Good thinking; has anyone tested this out?

@MrZYX, what do you think? Tag for a hotfix, as this is a security concern?

@jhass

This comment has been minimized.

Member

jhass commented Nov 20, 2012

There's quite a lot an attacker needs to know/have upfront:

  • A trojaner on my computer/access to (my) wifi to MITM attack me.
  • That I'm using Diaspora
  • Which pod I use
  • Which elements I'm going to click when I use it.

Since I haven't heard of real world attack of Diaspora through this method yet I think a hotfix is unnecessary. That issue has been reported months ago and yet no one attacked Diaspora with it, so nice to have :)

Raven24 added a commit that referenced this pull request Nov 20, 2012

@Raven24 Raven24 merged commit 742d320 into diaspora:develop Nov 20, 2012

1 check passed

default The Travis build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment