Koha-community
/
Koha
13
5
Fork 0
Code Issues Releases Wiki Activity
Browse Source

[SIGNED-OFF] Bug 16210: Revert OPAC changes from Bug 15111 

This patch reverts the changes made at the OPAC from the following
patches:

Do not include the antiClickjack legacy browser trick for greybox"

Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
This reverts commit fc640d2a86.

Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
This reverts commit fb167c0e4b.

Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
This reverts commit dc03bca76c.

Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8    March 2008
Opera 10.5  March 2010
Safari 4  February 2009
Chrome 4.1.…  somewhen 2010

Test plan:
Confirm that there are no regression of bug 15111 with modern browsers

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
new_12478_elasticsearch
Jonathan Druart 8 years ago
committed by Brendan Gallagher
parent
98f551faec
commit
d496d03e8a
2 changed files with 1 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc
  2. 2
      koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt

14
koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc
View File

@ -1,20 +1,6 @@
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Koha [% Version %]" /> <!-- leave this for stats -->
<meta name="viewport" content="width=device-width, initial-scale=1" />
[%# Prevent XFS attacks -%]
[% UNLESS popup %]
<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
[% END %]
<link rel="shortcut icon" href="[% IF ( OpacFavicon ) %][% OpacFavicon %][% ELSE %][% interface %]/[% theme %]/images/favicon.ico[% END %]" type="image/x-icon" />
[% IF ( bidi ) %]
<link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/lib/bootstrap/css/bootstrap-rtl.min.css" />

2
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt
View File

@ -1,7 +1,7 @@
[% INCLUDE 'doc-head-open.inc' %]
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; Your search IDREF for ppn [% unimarc3 %]</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
[% INCLUDE 'doc-head-close.inc' popup => 1 %]
[% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %]
<style type="text/css">
ul.ui-tabs-nav li a, ul.ui-tabs-nav li span.a { padding:0.6em 1em; }

Write Preview
Loading…
Cancel
Save