[
https://issues.apache.org/jira/browse/TOBAGO-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Udo Schnurpfeil resolved TOBAGO-1822.
-------------------------------------
Resolution: Fixed
> Modernize frame attack handling
> -------------------------------
>
> Key: TOBAGO-1822
> URL: https://issues.apache.org/jira/browse/TOBAGO-1822
> Project: MyFaces Tobago
> Issue Type: Improvement
> Components: Themes
> Reporter: Udo Schnurpfeil
> Assignee: Udo Schnurpfeil
> Fix For: 4.0.0
>
>
> Currently the Tobago configuration attribute "preventFrameAttacks" is
> implemented with CSS and JavaScript. These days all supported browsers
> supports the HTTP header "X-Frame-Options". So, this header should be set.
> Nevertheless this header is deprecated by the CSP Level 2 directive
> "frame-ancestors" which has good support, but IE11.
> So we should
> # use the HTTP header "X-Frame-Options", if preventFrameAttacks is set and
> # the developer might set the CSP Level 2 directive "frame-ancestors"
> The default in Tobago should be: don't allow (with both techniques).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
