Opened 7 years ago
Last modified 4 years ago
#5404 review defect
X-Frame-Options for admin/moderator views
|Reported by:||Matt Molyneaux||Owned by:|
Currently Mediagoblin doesn't do anything to prevent clickjacking.
X-Frame-Options: SAMEORIGIN in responses for those views would protect against this attack.
Change History (3)
comment:1 by , 6 years ago
Last edited 6 years ago by (previous) (diff)
comment:2 by , 6 years ago
|Status:||new → accepted|
comment:3 by , 4 years ago
|Status:||accepted → review|
Note: See TracTickets for help on using tickets.
Here's a first stab at this using a meddleware class to set
X-Frame-Options = SAMEORIGINfor all views. A better solution would would probably use decorators to set X-Frame-Options headers on specific views as mentioned in the ticket title.