Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-3247

New security setting to prevent cross-frame attacks

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 12.3
    • Component/s: Framework
    • Labels:

      Description

      So far we used a JavaScript hack only to prevent cross-frame scripting  clickjacking attacks. A better method is to use the X-Frame-Options Header. 

      The option is not on by default but encouraged to turn on. As we do not know if it has any negative side effects it is no on by default. 

      See https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

        Attachments

          Activity

            People

            • Assignee:
              gnaegi Florian Gnägi
              Reporter:
              gnaegi Florian Gnägi
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 40 minutes
                40m