Add CSP frame-ancestors, make X-Frame-Options conditional #977
Conversation
|
Where is This looks good, but I think we should just move this out of the h5bp directory now and make it ours. If we customize these templates, they belong to us :) |
arg_customize_changeset_uuid
Yep, from the Customizer's embedded content: Nginx supports variables such as $arg_name for the "argument name in the request line." Nginx allows checking the presence of query parameters with I figured the presence of that query parameter was the most convenient indicator of whether a request was for the Customizer's embedded content. Although a malicious embed could spoof this strategy by adding a fake
Move from h5bp to Trellis core
I added a commit commenting out the My choice of If Trellis begins to have or desire multiple Trellis core Nginx include files, perhaps the |
The X-Frame-Options header has been obsoleted by the frame-ancestors directive. Retain the X-Frame-Options header for older browsers. Return empty X-Frame-Options header for WordPress Customizer content to prevent the conflict that SAMEORIGIN would have with the ALLOW-FROM option that WordPress adds on its own (Safari browser). Discussion in https://core.trac.wordpress.org/ticket/40020
* Add xdebug.remote_autostart to simplify xdebug sessions * Update logrotate doc URL [ci skip] * Update WP-CLI to 1.5.1. * Update changelog. [ci skip] * Update geerlingguy.composer 1.6.1->1.7.0 (roots#983) Update from `1.6.1` -> `1.7.0` which addresses roots#943 ([DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated.) * Update geerlingguy.ntp 1.5.2->1.6.0 (roots#984) Avoids deprecation warnings introduced in Ansible 2.4: "The use of 'include' for tasks has been deprecated." * Enable nginx to start on boot (roots#980) * update changelog * 'yarn run' -> 'yarn' [ci skip] * Issue warning for all Ubuntu releases that are not Xenial (roots#986) * Clarify that changelog entry indicates Trellis version (roots#987) * Validate python version on control machine (roots#988) * Common: Install `git` instead of `git-core` Because `git-core` is now a dummy package of `git`. See: http://git.661346.n2.nabble.com/git-core-vs-git-package-on-ubuntu-tp7576083p7576085.html * Add CSP frame-ancestors, make X-Frame-Options conditional (roots#977) The X-Frame-Options header has been obsoleted by the frame-ancestors directive. Retain the X-Frame-Options header for older browsers. Return empty X-Frame-Options header for WordPress Customizer content to prevent the conflict that SAMEORIGIN would have with the ALLOW-FROM option that WordPress adds on its own (Safari browser). Discussion in https://core.trac.wordpress.org/ticket/40020 * Improve failed_when rule for Wordpress Installed check (roots#991) In rare cases the wp_installed registered var may be missing the stderr attribute, so add a default to avoid related error. The `wp core is-installed` command return code is 1 if WP is simply not installed. However, in rare cases the command may return some other return code indicative of true failure, so fail if rc > 1. * deploy.sh: Return non-zero exit code when misuse (roots#990) - Exit with `127` when not enough arguments - Exit with `1` when hosts file not exist See: http://www.tldp.org/LDP/abs/html/exitcodes.html * Skip Acme Challenge failure message for non-failed sites (roots#993) * Bump Ansible version_tested_max to 2.5.3 (roots#981) * Bump Ansible version_tested_max to 2.5.3 Convert Jinja2 tests from filter format to `var is testname` format. Encourage users on Ansible 2.5.0 to upgrade to avoid erroneous warnings fixed in ansible/ansible 37538 * Add option to enable FastCGI background updates (roots#962) Enabled by default * Add quotes to nginx_cache_background_update value "on" Quotes prevent Ansible from interpolating the variable value as True. True is an invalid value for fastcgi_cache_background_update and would would make Nginx unable to reload. * Verify `wp-cli.phar` checksum
|
@fullyint: Can this config block/option key |
This PR adds a workaround to https://discourse.roots.io/t/safari-conflicting-multiple-x-frame-options/10077 until https://core.trac.wordpress.org/ticket/40020 is resolved.
frame-ancestorsCSPThis PR adds the frame-ancestors CSP directive which has obsoleted the
X-Frame-Optionsheader.Note that it is acceptable to have multiple CSPs (i.e., in case users add other CSP headers).
Dynamic
X-Frame-OptionsThis PR retains the
X-Frame-Optionsheader for the sake of older browsers, but returns an emptyX-Frame-Optionsvalue for WordPress Customizer content. This prevents the Safari browser's conflict betweenSAMEORIGINand theALLOW-FROMoption that WordPress adds on its own.