On 9 Aug 2011, at 22:14, Martin S. Weber wrote: > So I wanted to use javadoc/scaladoc style documentation and take advantage of > fossils embedded documentation -- I put the scaladoc under <repo>/docco and > happily was going to http://server:port/repo/doc/trunk/docco/index.html - but > there noscript was already waiting for me, saying "No, no!". I couldn't > convince it otherwise, so I turned the X-Frame-Options http header over to > SAMEORIGIN instead of DENY and recompiled. > > Now, with wikis and such I can see how there's a danger of IFRAMEs, click > jacking and what not. On the other hand, there's a valid use-case for using > iframes, where x-frame-options really should be SAMEORIGIN. Couldn't there be > a setting to tune, or a list of glob patterns for which to turn > X-Frame-Options to SAMEORIGIN (or, the other way round, to DENY) ?
Changing to SAMEORIGIN isn't going to lose much in terms of security, as you'd have to have exploited something else first. I choose DENY when I added that header to be as paranoid as possible, not realising it'd break your documentation (sorry!). You can change the value of the header in the web server hosting the CGI script, if you're hosting that way. Under Apache you would use mod_headers. It sounds like the default should change, and those who really care should adjust their web server. Ben -- http://bens.me.uk/ _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
