Udo Schnurpfeil created TOBAGO-1822:
---------------------------------------
Summary: Modernize frame attack handling
Key: TOBAGO-1822
URL: https://issues.apache.org/jira/browse/TOBAGO-1822
Project: MyFaces Tobago
Issue Type: Improvement
Components: Themes
Reporter: Udo Schnurpfeil
Assignee: Udo Schnurpfeil
Currently the Tobago configuration attribute "preventFrameAttacks" is
implemented with CSS and JavaScript. These days all supported browsers supports
the HTTP header "X-Frame-Options". So, this header should be set.
Nevertheless this header is deprecated by the CSP Level 2 directive
"frame-ancestors" which has good support, but IE11.
So we should
# use the HTTP header "X-Frame-Options", if preventFrameAttacks is set and
# the developer might set the CSP Level 2 directive "frame-ancestors"
The default in Tobago should be: don't allow (with both techniques).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
