On Fri, Jan 12, 2018 at 4:59 PM, Mattia Dorigatti wrote:
> I have a question. Why do the security tracker sites have the
> X-Frame-Options:sameorigin header set? Because I've wanted to keep an eye on
> some CVEs I've created a simple html site with three iframes and the refresh
> meta tag so that I could put it on an extra monitor and have a look at the
> status. But I can't do that if that header is set. Why is this and can it be
> changed?
All debian.org hosts use this header where possible. As you can see in
the Mozilla documentation, it is used to prevent clickjacking attacks
as well as hosts passing off content as their own, so I'm not sure it
is a good idea to disable it. I think it might be best for you to use
a browser extension to achieve the autorefresh and open a window for
each CVE. You could also just subscribe to the Debian bug mail for
each bug associated with the CVEs you are interested in.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://www.debian.org/Bugs/Developer#subscribe
--
bye,
pabs
https://wiki.debian.org/PaulWise
