[
https://issues.apache.org/jira/browse/TOBAGO-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247593#comment-16247593
]
Hudson commented on TOBAGO-1822:
--------------------------------
SUCCESS: Integrated in Jenkins build Tobago Trunk #1122 (See
[https://builds.apache.org/job/Tobago%20Trunk/1122/])
TOBAGO-1822: Modernize frame attack handling * step 2: base config for (lofwyr:
rev ade9c1458d78132325af6e014a52011331b22853)
* (edit)
tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
* (edit) tobago-core/src/main/resources/META-INF/tobago-config.xml
> Modernize frame attack handling
> -------------------------------
>
> Key: TOBAGO-1822
> URL: https://issues.apache.org/jira/browse/TOBAGO-1822
> Project: MyFaces Tobago
> Issue Type: Improvement
> Components: Themes
> Reporter: Udo Schnurpfeil
> Assignee: Udo Schnurpfeil
> Fix For: 4.0.0
>
>
> Currently the Tobago configuration attribute "preventFrameAttacks" is
> implemented with CSS and JavaScript. These days all supported browsers
> supports the HTTP header "X-Frame-Options". So, this header should be set.
> Nevertheless this header is deprecated by the CSP Level 2 directive
> "frame-ancestors" which has good support, but IE11.
> So we should
> # use the HTTP header "X-Frame-Options", if preventFrameAttacks is set and
> # the developer might set the CSP Level 2 directive "frame-ancestors"
> The default in Tobago should be: don't allow (with both techniques).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
