security: start removing the possible use of frames. #538
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Will this break filesender if i run filesender it self in an iframe? |
|
Ah, good point. Will sameorigin work for you there? |
|
Should do, can test once it is merged |
|
If it doesn't work I'll revert later in the day. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There is only one area that I can see that uses frames/iframe in filesender. This is to support legacy browsers that do not support the FileReader API. The FileReader is supported on IE10 and many older browsers (https://developer.mozilla.org/en-US/docs/Web/API/FileReader#Browser_compatibility). This makes the legacy iframe code very unlikely to be useful these days.
As such I have made the default policy for X-Frame-Options to be deny. The iframe code has not been pruned yet in case it is discovered to be required by some sites and the X-Frame-Options can be adjusted to allow it again. If nobody notices that x-frame is denied then the legacy code can be pruned away.