Re: [fossil-users] X-Frame-Options http header
On 9 Aug 2011, at 22:14, Martin S. Weber wrote: So I wanted to use javadoc/scaladoc style documentation and take advantage of fossils embedded documentation -- I put the scaladoc under repo/docco and happily was going to http://server:port/repo/doc/trunk/docco/index.html - but there noscript was already waiting for me, saying No, no!. I couldn't convince it otherwise, so I turned the X-Frame-Options http header over to SAMEORIGIN instead of DENY and recompiled. Now, with wikis and such I can see how there's a danger of IFRAMEs, click jacking and what not. On the other hand, there's a valid use-case for using iframes, where x-frame-options really should be SAMEORIGIN. Couldn't there be a setting to tune, or a list of glob patterns for which to turn X-Frame-Options to SAMEORIGIN (or, the other way round, to DENY) ? Changing to SAMEORIGIN isn't going to lose much in terms of security, as you'd have to have exploited something else first. I choose DENY when I added that header to be as paranoid as possible, not realising it'd break your documentation (sorry!). You can change the value of the header in the web server hosting the CGI script, if you're hosting that way. Under Apache you would use mod_headers. It sounds like the default should change, and those who really care should adjust their web server. Ben -- http://bens.me.uk/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] X-Frame-Options http header
On Wed, Aug 10, 2011 at 9:24 AM, Ben Summers b...@fluffy.co.uk wrote: It sounds like the default should change, and those who really care should adjust their web server. Just FYI: the vast majority of users do not have admin-level rights to their publicly-hosted servers. i.e. fossil changes which _require_ adjustments to the web server config are likely to cost fossil a user or two. My primary use of fossil is over CGI on Apache, but i have very little control over the apache config on my 2 hosters (i can't change modules, i can only change certain settings). -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] X-Frame-Options http header
On 10 Aug 2011, at 15:11, Stephan Beal wrote: On Wed, Aug 10, 2011 at 9:24 AM, Ben Summers b...@fluffy.co.uk wrote: It sounds like the default should change, and those who really care should adjust their web server. Just FYI: the vast majority of users do not have admin-level rights to their publicly-hosted servers. i.e. fossil changes which _require_ adjustments to the web server config are likely to cost fossil a user or two. My primary use of fossil is over CGI on Apache, but i have very little control over the apache config on my 2 hosters (i can't change modules, i can only change certain settings). Yes, that was why I suggested changing the default to something which caused minimal problems. The paranoid will probably be running their own servers anyway. In any case, the DENY setting only affected those doing something fancy. Ben -- http://bens.me.uk/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] X-Frame-Options http header
On Wed, Aug 10, 2011 at 4:23 PM, Ben Summers b...@fluffy.co.uk wrote: Yes, that was why I suggested changing the default to something which caused minimal problems. The paranoid will probably be running their own servers anyway. In any case, the DENY setting only affected those doing something fancy. Sorry, i didn't mean to imply that such a change _would_ break my setup (i had never even heard of that header until this thread!), just that changing web server settings isn't always possible. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] X-Frame-Options http header
On Wed, Aug 10, 2011 at 4:28 PM, Stephan Beal sgb...@googlemail.com wrote: Sorry, i didn't mean to imply that such a change _would_ break my setup (i had never even heard of that header until this thread!) And a side note: HTML5 deprecates frames altogether (but not iframe), by the way. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] X-Frame-Options http header
So I wanted to use javadoc/scaladoc style documentation and take advantage of fossils embedded documentation -- I put the scaladoc under repo/docco and happily was going to http://server:port/repo/doc/trunk/docco/index.html - but there noscript was already waiting for me, saying No, no!. I couldn't convince it otherwise, so I turned the X-Frame-Options http header over to SAMEORIGIN instead of DENY and recompiled. Now, with wikis and such I can see how there's a danger of IFRAMEs, click jacking and what not. On the other hand, there's a valid use-case for using iframes, where x-frame-options really should be SAMEORIGIN. Couldn't there be a setting to tune, or a list of glob patterns for which to turn X-Frame-Options to SAMEORIGIN (or, the other way round, to DENY) ? (yeah yeah I know - obvious answer is stop using scaladoc or javadoc, they're bad tools anyways. But it's all I have here :)). Regards, -Martin ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
