[OO-3247] New security setting to prevent cross-frame attacks - OpenOLAT Issue Management

XML

Word

Printable

Details

Type: Improvement
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 12.3
Component/s: Framework
Labels:
- XSS

Funded by:
- EY
- frentix

Description

So far we used a JavaScript hack only to prevent cross-frame scripting clickjacking attacks. A better method is to use the X-Frame-Options Header.

The option is not on by default but encouraged to turn on. As we do not know if it has any negative side effects it is no on by default.

See https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Attachments

Activity

People

Assignee:: Florian Gnägi

Reporter:: Florian Gnägi

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Jan/18 3:45 PM

Updated:: 04/Apr/18 9:23 AM

Resolved:: 04/Apr/18 9:23 AM

Time Tracking

Estimated:

Not Specified

Remaining:

0m

Logged:

40m