Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-Frame-Options is deprecated #408

Closed
ghost opened this issue Oct 4, 2014 · 9 comments
Closed

X-Frame-Options is deprecated #408

ghost opened this issue Oct 4, 2014 · 9 comments
Assignees
@bloatware
Labels
bug core
Milestone
v4.7

Comments

@ghost
Copy link

ghost commented Oct 4, 2014

From jukka.m.svahn on December 09, 2013 13:17:12

X-Frame-Options is being deprecated in Firefox in favor of Content Security Policy. http://www.w3.org/TR/CSP Which is standard candidate. We should migrate to it and leave the old X-Frame-Options as fallback for older browsers. E.g.

header('Content-Security-Policy', "default-src * 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self'");

Original issue: http://code.google.com/p/textpattern/issues/detail?id=404
@philwareham philwareham added this to the v4.6 milestone Oct 4, 2014
@vanmelick
Copy link
Contributor

I know it's an example, but...

  • frame-src 'self' is deprecated; should be replaced with child-src 'self'... but as I understand it, that means the page can only use iframe/frame children that come from the same server, which would break youtube movies, which often (typical?) load via an iframe.
  • setting default-src as in the example doesn't seem to do much, because of the asterisk in there and allowing unsafe-inline / unsafe-eval. If the default is set like that, wouldn't it be better not to set a default and only send the header if the user defines it in config.php... and in that case, wouldn't it be just as easy for the user to call the header function from config.php?
  • X-Frame-Options: SAMEORIGIN my be deprecated, but its proposed replacement - the directive frame-ancestors in CSP level 2 - is marked as experimental / not for production use at https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#frame-ancestors

andersk pushed a commit to andersk/textpattern that referenced this issue Nov 29, 2015
@gocom
Format the newer codebase according to PSR-2.
cdd37cb 
Ran the vendors directory through CS checker. Main
changes are bracket placements and converting tabs to
spaces. Contains few signature changes:

* Tag handlers use camel casing, 'render' prefix.
* set_language and set_owner in Textpack_Parser.

See issue textpattern#408

git-svn-id: http://textpattern.googlecode.com/svn/development/4.x@5757 2fea6a4d-a838-0410-917b-93a53c48e9d2
@Bloke
Copy link
Member

Bloke commented Mar 6, 2016

No idea what the correct solution is here. @vanmelick: care to propose one?

@philwareham
Copy link
Member

Bumping - @vanmelick @rwetzlmayr @bloatware do you know of a solution for this?

@bloatware
Copy link
Member

Sorry, I don't understand the issue itself, the original issue link points to something seemingly unrelated.

@petecooper
Copy link
Member

Browser support for CSP: http://caniuse.com/#feat=contentsecuritypolicy
CSP policy directives: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
And some OWASP for bedtime reading (search for 'deprecated'): https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

@philwareham philwareham modified the milestones: v4.7, v4.6 May 20, 2016
@bloatware bloatware self-assigned this Nov 22, 2016
@philwareham
Copy link
Member

The replacement for:

X-Frame-Options: SAMEORIGIN

...is:

Content-Security-Policy: frame-ancestors 'self'

...and is pretty well supported now. You'd at best need to keep both around for now.

@bloatware
Copy link
Member

We already ship it with .htaccess, but this works only (?) for apache servers.

@philwareham
Copy link
Member

Ah yes, fine. I'm happy to close this issue then. Nginx has it's own config that replaces (and ignores) .htaccess and we can document those on the documents site (since Nginx users will edit their own server config files directly we don't need further Nginx files in core over what @makss has already introduced, I think).

@makss makss mentioned this issue Jul 6, 2017
Merged
@philwareham
Copy link
Member

Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bloatware bloatware

Labels
bug core
Projects
None yet
Milestone
v4.7
Development

No branches or pull requests
5 participants
@Bloke @petecooper @philwareham @vanmelick @bloatware