Browse Source
This patch reverts the changes made at the OPAC from the following patches: Do not include the antiClickjack legacy browser trick for greybox" Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox" This reverts commitnew_12478_elasticsearchfc640d2a86
. Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN" This reverts commitfb167c0e4b
. Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks" This reverts commitdc03bca76c
. Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick should be removed at the OPAC as we want to keep the OPAC usable even if the user has disabled JS. That means the OPAC will be vulnerable to XFS if a user is navigating with a prehistoric browser: Firefox 3.6.9 September 2010 IE 8 March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 Test plan: Confirm that there are no regression of bug 15111 with modern browsers Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
2 changed files with 1 additions and 15 deletions
Loading…
Reference in new issue