New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] By default set the X-Frame-Options HTTP header to SAMEORIGIN #1725
Comments
Sounds good to me. |
This would be cool. |
Or have a config in app config that is like "allow_iframe"? |
I can gurantee you there won't be a config option for this :) |
I'm still researching the entire issue as a whole though |
Yeah I'm not for a config option. It should just be default and override if needed. To be more clear, by setting sameorigin it can still be included in an iframe from the same domain so it's only limiting third party inclusion. On Jun 24, 2013, at 12:28 AM, Taylor Otwell notifications@github.com wrote:
|
Yeah. I think it's good by default, I'm just thinking that it should be well documented where to go in the shell to modify that behavior. Whether a config, or you have to do something like Request::setHeader(...)? On Mon, Jun 24, 2013 at 5:23 AM, Ian Landsman notifications@github.com
|
Done. |
If you're on 4.1 and don't want it add this to start file:
|
Is this functionality documented ? For instance if I want to use an other value. |
Not yet. It's 4.1 functionality. But it will be. — On Fri, Nov 15, 2013 at 12:26 PM, Fractaliste notifications@github.com
|
Is there any way to remove the X-Frame-Options header for a single route? During an after filter the X-Frame-Options header is not yet set and therefore can't be removed.
|
I can probably tweak it to check for the existence of the header. If it has already been set higher in the stack we shouldn't override. Good? |
Hmm... It wouldn't be possible to completely remove the header then, though? Just override it... |
There is an app forgetMiddleware function — On Tue, Nov 19, 2013 at 11:54 AM, BastianHofmann notifications@github.com
|
Correct, but it can only be used before the app handles the request i.e. in the start file. However for my usecase I found a work around which acctually makes my app more secure. My Conclusion: |
Fix for the change discussed in laravel#1725
Why not to add an option into one of config files and check it in FrameGuard ? |
That was discussed in this thread already. |
After wasting a day to find the issue I had is here (litterally but finding the problem point in the code), this FrameGuard is not helping at all, since all Facebook app developers will have blank apps. FrameGuard is executed somewhere in the actual sending of response, where the user has no control. There is no option for overriding it, tried in App::after, but instead of overriding FrameGuard value, it overrides mine. I suggest to remove it or make it configurable and mention it in the docs. Whole day searching in Google for hint and there were 0 useful topics and almost made me drop laravel for Facebook applications, where I find laravel very nice. |
I agree with Rolice. Wish I had these hours back that this issue stole from me. |
Try |
Thanks. Its a clean solution @Guillaumez I shared it in laravel forum topic I had opened before writing here: http://forums.laravel.io/viewtopic.php?pid=65620#p65620 It seems to work with forget middleware, ok this is solution, but we have to put it in somewhere in the docs, how I could relate as new user empty Facebook page with FrameGruard, especially with forgetMiddleware? Isn't it reversed logic, I expect to add/enable Middleware, not to forget it? I expect to write code, not to disable parts of it (talking for extra functionality which optimizes my code to run)? Its for me like:
...which is not constructive logic, but kind of opposite. I am trying to look from another view point. It is cool to have many/all things loaded, but there is also performance cost. I am wondering how many points like that exist currently in the version I have? Do I need them all? An idea is to move such optional executable functionality as an extension or something which is expected to be used only when needed (I don't instantiate FrameGuard, neither tell it what to do - it is self operating unit) or at least leave extra units disabled by default. However, the most important thing is to document that and other "issues" like it - to make laravel more accessible and easier to use. I can try to describe it somewhere. Correct me if I am wrong. I may also fork and apply solution to this issue after that. |
Frameguard is useful for 99% of cases, not useful for 1%. (Figure pulled out of my ass). Because of this, it makes sense to suit the use of the majority. Sent from my iPad
|
Thanks for your advice, @bencorlett. Still, an article put somewhere in the docs to mention potential problems for cross-domain communication would be nice. I have to dig around that. |
Is there no way to apply this override on a view by view basis? It flat out kills all Facebook page apps so has to be disabled to avoid blank pages. However, I assume it is useful generally so it would be good to keep it elsewhere. |
I might just pull this out. It seems to be nothing but trouble. |
I still think this doesn't impact 99.9999% of sites and adds security for them with the tradeoff of people building Facebook apps have to set one option. |
I dont know how many people affects, but surely those who develop cross-domain apps. It is useful, but the lack of control make it pain in the ass. If I can turn it off/on or set the value of DENY|SAMEORIGIN|ALLOW-FROM it will become shining diamond no matter if it is enabled by default (should be mentioned somewhere in the docs). |
I still wonder if this is better accomplished by an App::after(function($route, $request, $response) {
if ($request->is('whatever/*')) {
$response->header('whatever', 'whatever');
}
}); |
Well, for one is better that the developer has access to that code and can adapt it. |
Tried it some time ago and it did not helped. In my case (then Laravel 4.0.x) FrameGuard got executed after that scope. |
Ah right, forgot about that. Yeah, this needs to be an after filter really. |
Totally agree T.
|
@taylorotwell As a new user to Laravel, your after filter thought is pretty much how I expected to turn this off once I realized how it worked. Originally though, I thought it would be slick if all the headers were present when I constructed my Response: $response = Response::make('Laravel 4!');
$response->headers->unset('X-Frame-Options');//wishful thinking
return $response; After Googling for a while I ended up here from a couple StackOverflow questions. It may be less than 1% but there's a handful of us looking for a proper solution. Importantly, I think most developers want FrameGuard on most of the time. In my case I just need to turn it off for a single controller method that acts like the Evernote Web Clipper - accessible from any page. |
Removing this by default in 4.2. Should be in an after filter - will leave FrameGuard class so people can add the middleware manually if they want. |
Manlove.
|
this wasted me hours, if you want to build a facebook app you will come here, i wish you found this page early then me :) |
I have added a topic in the forums and answered myself, so I hope it will help there. :) |
This is a major back step. Who decided that no one uses the iframe tag anymore? Has it been deprecated without the rest of the internet being informed? |
This has wasted me a lot of time also. |
To all that feel this had wasted their time, how about getting involved with any proposal/suggestion on Github so before any changes happen your concern has been noted. Just look at the the discussion above, it took @taylorotwell 4 months to finally make this changes, within those 4 months there no objection. Why? Because does who were involve (responding to it) doesn't have any objection. |
This is the topic I have started: http://forumsarchive.laravel.io/viewtopic.php?pid=64869 |
Hey "modern web" advocates. Guess what? Facebook canvas apps are embedded within iframe. |
Can this thread please just die. Sent from my iPhone
|
Sounds good to me. |
This is my all time favorite thread |
This prevents adding a site sending the header from being included in an iframe which in turn prevents click hijacking. At this point iframes are pretty rare as a standard expected usage case and so defaulting to not allowing them seems to be a more secure way to go. It could always be enabled if needed in a particular case.
The text was updated successfully, but these errors were encountered: