Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for http header X-Frame-Options #2816

Merged
merged 1 commit into from
Mar 1, 2024
Merged

Add support for http header X-Frame-Options #2816

merged 1 commit into from
Mar 1, 2024

Conversation

hmpf
Copy link
Contributor

@hmpf hmpf commented Feb 21, 2024
edited
Loading

Closes #2817

Depends on #2815

@hmpf hmpf self-assigned this Feb 21, 2024
@codecov Codecov
Copy link

codecov bot commented Feb 21, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.85714% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 57.16%. Comparing base (459cb29) to head (5e0c279).

Files Patch % Lines
python/nav/web/security.py 91.66% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2816      +/-   ##
==========================================
+ Coverage   57.15%   57.16%   +0.01%     
==========================================
  Files         568      568              
  Lines       41282    41293      +11     
==========================================
+ Hits        23596    23607      +11     
  Misses      17686    17686

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 21, 2024
edited
Loading

Test results

     12 files       12 suites   11m 51s ⏱️
3 312 tests 3 312 ✔️ 0 💤 0
9 411 runs  9 411 ✔️ 0 💤 0

Results for commit 5e0c279.

♻️ This comment has been updated with latest results.

@hmpf hmpf force-pushed the x-frame-options-support branch 3 times, most recently from 6ceca61 to 9dc665e Compare February 28, 2024 09:50
lunkwill42
lunkwill42 reviewed Feb 28, 2024
View reviewed changes
Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks fine to me, but this makes we wonder: What is the actual rationale of using the X-Frame-Options if it has been superseded by CSP policy headers? Just to support ancient browsers?

@hmpf
Copy link
Contributor Author

hmpf commented Feb 28, 2024
edited
Loading

What is the actual rationale of using the X-Frame-Options if it has been superseded by CSP policy headers? Just to support ancient browsers?

It's an easy win we can merge now. The "correct" way, which is in #2822 (#2818), crashes the webcrawler-test. #2822 uses the same setting.

@lunkwill42
Copy link
Member

What is the actual rationale of using the X-Frame-Options if it has been superseded by CSP policy headers? Just to support ancient browsers?

It's an easy win we can merge now. The "correct" way, which is in #2822 (#2818), crashes the webcrawler-test. #2822 uses the same setting.

Ok, but we'll have to merge #2815 first :)

lunkwill42
lunkwill42 approved these changes Feb 28, 2024
View reviewed changes
Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to rebase and merge once #2815 is merged.

@hmpf hmpf force-pushed the x-frame-options-support branch 2 times, most recently from f1c9bc7 to 6e2d46d Compare February 29, 2024 11:28
@hmpf
Add simple clickjacking prevention
5e0c279 
Support X-Frame-Options with a default of SAMEORIGIN.
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Mar 1, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@hmpf hmpf merged commit dcc18f9 into Uninett:master Mar 1, 2024
12 checks passed
@hmpf hmpf deleted the x-frame-options-support branch March 1, 2024 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunkwill42 lunkwill42 lunkwill42 approved these changes

@stveit stveit Awaiting requested review from stveit

@johannaengland johannaengland Awaiting requested review from johannaengland

Assignees

@hmpf hmpf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set X-Frame-Options: SAMEORIGIN by default (configurable)
2 participants
@hmpf @lunkwill42