This patch reverts the changes made at the OPAC from the following
patches:
Do not include the antiClickjack legacy browser trick for greybox"
Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
This reverts commit fc640d2a86.
Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
This reverts commit fb167c0e4b.
Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
This reverts commit dc03bca76c.
Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8 March 2008
Opera 10.5 March 2010
Safari 4 February 2009
Chrome 4.1.… somewhen 2010
Test plan:
Confirm that there are no regression of bug 15111 with modern browsers
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
If you click on a link that opens a new tab/window to another site, that tab
has access to the original window through JavaScript. The browsing context is
related, even if the domains are totally different.
The tab retains access to the original window's object via window.opener, even
if you navigate to another page or domain, in the new or original window.
Access to the Window object means the new window can use Window.location to
open a different URL in the original window, perfect for phishing attacks.
Depending on the site's Same-Origin Policy settings, the new window may have
access to other parts of the original window's DOM as well.
Any 'A HREF' that contains a target of of '_blank' or '_new' or a fixed name
is vulnerable. Previous security best practice often suggested creating a random
fixed name for an unpredictable namespace - that won't help with this problem!
Targets of '_self' and '_parent' are safe.
We do not use _new (at first glance) but several _blank. Some are used
to refer internal url, we do not need to update or remove them. Others
are used to satisfy OPACURLOpenInNewWindow, in these case, we should add
the rel="noreferrer" attribute to the a tags.
In other cases, we can simply remove them and let the users discover
that a mouse has more than one button (we are in 2016, they can do it!)
Signed-off-by: Chris <chrisc@catalyst.net.nz>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Most of the scripts called via greybox (which uses iframe) don't include
doc-head-close. But some do.
This patch adds a popup parameter for these templates, not to include
the legacy browser trick and avoid the replacement of the location.
Test plan:
1/ Export patroncard and label
2/ translate itemtypes
3/ click on a idref link at the OPAC
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
On the detail page (in the opac), if the biblio comes from the Sudoc,
you must have a link (on the right of the author link) which open a popup with
informations about this author (publications by role).
To test:
1/ Switch on the Idref system preference
2/ Simulate a SUDOC record:
Fill a 7..$3 field with a ppn (032581270 for example).
Fill the 009 field with an integer
3/ Go to the opac detail page of this notice.
You should see the IDREF link.
If you click on it, a popup displays a loading icon and after a few
seconds (depending of the productivity of the authority :)), a list of
roles. For each role, a table displays all his corresponding publications.
4/ On the right, you have 2 links: 1 for a koha search for this result
and 1 for a SUDOC link
Signed-off-by: valerie bertrand <valerie.bertrand@univ-lyon3.fr>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
