New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added warning for lack of browser support for the ALLOW-FROM option #4

Merged
merged 3 commits into from Jun 5, 2015
Jump to file or symbol
Failed to load files and symbols.
+1 −1
Diff settings

Always

Just for now

Viewing a subset of changes. View all

Added links to supporting articles

  • Loading branch information...
eligolding committed Jun 4, 2015
commit 52fcaa7bf168feed103e7142f7e689fac1db1067
View
@@ -24,4 +24,4 @@ app.use(frameguard('allow-from', 'http://example.com'));
**Limitations:** This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. It only prevents against a certain class of attack, but does so pretty well. It also prevents your site from being framed, which you might want for legitimate reasons.
**Warning:** The `ALLOW-FROM` header option is not supported in most browsers. Those browsers will ignore the entire header, and the frame *will* be displayed.
**Warning:** The `ALLOW-FROM` header option is [not supported in most browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility). Those browsers will ignore the entire header, [and the frame *will* be displayed.](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2)

This comment has been minimized.

@EvanHahn

EvanHahn Jun 4, 2015

Member

Tiny nitpick: could you move the period outside of the link? Should look like this:

... [and the frame *will* be displayed](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2).
ProTip! Use n and p to navigate between commits in a pull request.