Udo Schnurpfeil created TOBAGO-1822: ---------------------------------------
Summary: Modernize frame attack handling Key: TOBAGO-1822 URL: https://issues.apache.org/jira/browse/TOBAGO-1822 Project: MyFaces Tobago Issue Type: Improvement Components: Themes Reporter: Udo Schnurpfeil Assignee: Udo Schnurpfeil Currently the Tobago configuration attribute "preventFrameAttacks" is implemented with CSS and JavaScript. These days all supported browsers supports the HTTP header "X-Frame-Options". So, this header should be set. Nevertheless this header is deprecated by the CSP Level 2 directive "frame-ancestors" which has good support, but IE11. So we should # use the HTTP header "X-Frame-Options", if preventFrameAttacks is set and # the developer might set the CSP Level 2 directive "frame-ancestors" The default in Tobago should be: don't allow (with both techniques). -- This message was sent by Atlassian JIRA (v6.4.14#64029)