New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added warning for lack of browser support for the ALLOW-FROM option #4

Merged
merged 3 commits into from Jun 5, 2015
Jump to file or symbol
Failed to load files and symbols.
+2 −0
Diff settings

Always

Just for now

Copy path View file
@@ -23,3 +23,5 @@ app.use(frameguard('allow-from', 'http://example.com'));
```
**Limitations:** This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. It only prevents against a certain class of attack, but does so pretty well. It also prevents your site from being framed, which you might want for legitimate reasons.
**Warning:** The `ALLOW-FROM` header option is [not supported in most browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility). Those browsers will ignore the entire header, [and the frame *will* be displayed.](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2)

This comment has been minimized.

@EvanHahn

EvanHahn Jun 4, 2015

Member

Tiny nitpick: could you move the period outside of the link? Should look like this:

... [and the frame *will* be displayed](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2).
ProTip! Use n and p to navigate between commits in a pull request.