[tahoe-lafs-trac-stream] [tahoe-lafs] #1455: WUI: ambiently accessible pages should framebust in order to prevent UI redressing attacks
tahoe-lafs
trac at tahoe-lafs.org
Tue Aug 28 18:11:11 UTC 2012
#1455: WUI: ambiently accessible pages should framebust in order to prevent UI
redressing attacks
-----------------------------+---------------------------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: new
Priority: minor | Milestone: undecided
Component: code- | Version: 1.8.2
frontend-web | Keywords: security ambient wui redressing
Resolution: |
Launchpad Bug: |
-----------------------------+---------------------------------------------
Comment (by davidsarah):
According to https://developer.mozilla.org/en-US/docs/The_X-FRAME-
OPTIONS_response_header , X-Frame-Options is supported by:
* Internet Explorer 8.0
* Firefox 3.6.9 (Gecko 1.9.2.9)
* Opera 10.50
* Safari 4.0
* Chrome 4.1.249.1042
I think there might be some benefit in including the header for all WUI
pages, not just ambiently accessible ones. In conjunction with #1797, that
would simplify reasoning about some of the attacks we were worried about
in the 2012-08-28 conference call.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1455#comment:2>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list