Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/includes
History
Jonathan Druart d496d03e8a [SIGNED-OFF] Bug 16210: Revert OPAC changes from Bug 15111 
This patch reverts the changes made at the OPAC from the following
patches:

Do not include the antiClickjack legacy browser trick for greybox"

Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
This reverts commit fc640d2a86.

Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
This reverts commit fb167c0e4b.

Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
This reverts commit dc03bca76c.

Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8    March 2008
Opera 10.5  March 2010
Safari 4  February 2009
Chrome 4.1.…  somewhen 2010

Test plan:
Confirm that there are no regression of bug 15111 with modern browsers

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
2016-04-20 16:06:31 +00:00
..
search
authorities-search-results.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
av-build-dropbox.inc Bug 9468: make av-build-dropbox.inc available to OPAC 2015-11-05 10:46:57 -03:00
bodytag.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
calendar.inc Bug 12072: Make datepicker and templates to be aware of dmydot format 2015-11-19 13:15:19 -03:00
datatables.inc
date-format.inc
doc-head-close.inc [SIGNED-OFF] Bug 16210: Revert OPAC changes from Bug 15111 2016-04-20 16:06:31 +00:00
doc-head-open.inc
greybox.inc
item-status-schema-org.inc
item-status.inc
masthead-langmenu.inc Bug 15039: Move top language menu to include and streamline logic 2015-10-22 11:53:42 -03:00
masthead-sco.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
masthead.inc Bug 10988 - Fixes for comments 57 and 58 2016-04-01 19:25:35 +00:00
navigation.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
opac-authorities.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
opac-bottom.inc bug_6624: Added Open Library Search and Read API calls to opac-results.tt and opac-detail.tt Conditional to OpenLibrarySearch syspref 2016-02-23 22:04:15 +00:00
opac-detail-sidebar.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
opac-facets.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
opac-topissues.inc Bug 16157: Move the selected flag from GetAuthorisedValues to the templates 2016-04-07 00:16:09 +00:00
openlibrary-readapi.inc bug_6624: Added Open Library Search and Read API calls to opac-results.tt and opac-detail.tt Conditional to OpenLibrarySearch syspref 2016-02-23 22:04:15 +00:00
page-numbers.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
patron-title.inc
resort_form.inc
shelfbrowser.inc Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
subtypes_unimarc.inc
usermenu.inc Bug 14544: Make the OPAC side independent of Page.pm 2015-11-05 09:58:01 -03:00