Hi Paul, thank you for this information. I've worked around this by using Netscape which even in its newest version does not support this header but displays the page correctly, thus allowing me to do what I wanted to do. But I have to say that subscribing is the better option, though I can't figure out what "nnn" stands for. A number? I've tried to email this addresses but they report inexistent: "[email protected]", "[email protected]", "[email protected]" What is "nnn" and where do I find it?
Thanks, Mattia -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Paul Wise Gesendet: Samstag, 13. Januar 2018 04:21 An: Mattia Dorigatti | Brandnamic <[email protected]> Cc: [email protected] Betreff: Re: Security Tracker Frame Options Header On Fri, Jan 12, 2018 at 4:59 PM, Mattia Dorigatti wrote: > I have a question. Why do the security tracker sites have the > X-Frame-Options:sameorigin header set? Because I've wanted to keep an eye on > some CVEs I've created a simple html site with three iframes and the refresh > meta tag so that I could put it on an extra monitor and have a look at the > status. But I can't do that if that header is set. Why is this and can it be > changed? All debian.org hosts use this header where possible. As you can see in the Mozilla documentation, it is used to prevent clickjacking attacks as well as hosts passing off content as their own, so I'm not sure it is a good idea to disable it. I think it might be best for you to use a browser extension to achieve the autorefresh and open a window for each CVE. You could also just subscribe to the Debian bug mail for each bug associated with the CVEs you are interested in. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://www.debian.org/Bugs/Developer#subscribe -- bye, pabs https://wiki.debian.org/PaulWise
