Cross Frame Scripting

[gitblit]

Originally reported on Google Code with ID 500

Description:
    XRF Vulnerability in GitBlit. Adding the Request header X-Frame-Options = SAMEORIGIN
will fix this for most modern browsers. However, for protection in legacy browsers
a javascript fix is needed. The headers are easy enough to add if one is using Apache
httpd as a proxy. The javascript fix is the only extra thing needed.
Expected Output:
    An implementation of Javascript frame-breaker as described at the following link:
    https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script
Environment:
    Gitblit Version 1.6.0 running on rhel 6 / tomcat 7 / apache httpd 2.2 with proxy ajp

Reported by 1988porsche944 on 2014-09-05 13:48:25

[gitblit]

I've added the X-Frame-Options header to the response.
https://dev.gitblit.com/tickets/gitblit.git/166

I'll give the legacy browser support some thought - the issue would be making the proposed
snippet optional which Wicket makes more difficult when the injection point is in <head>.

From my understanding the framebusting snippet breaks *all* iframe usage and I know
that some users do embed Gitblit in an iframe.

Reported by James.Moger on 2014-09-05 19:40:45

• Status changed: Queued
• Labels added: Milestone-1.6.1

[gitblit]

v1.6.1 released

Reported by James.Moger on 2014-10-20 21:36:03

• Status changed: Done