[Mahara-contributors] [Bug 1677068] Re: Move from X-Frame-Options to Content-Security-Policy
*** This bug is a duplicate of bug 1734766 *** https://bugs.launchpad.net/bugs/1734766 ** This bug has been marked a duplicate of private bug 1734766 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1677068 Title: Move from X-Frame-Options to Content-Security-Policy Status in Mahara: Confirmed Bug description: Currently one cannot embed Mahara within an iframe on third party site This is due to: X-Frame-Options = SAMEORIGIN (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) And we can't allow specific external sites to embed mahara in an iframe (well at least not for all major browsers) But good news there is: Content-Security-Policy (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Where we can specify which domains are allowed to show which things But bad news - to get it to work we'd need to do bad things in relation to inline javascript (see: https://www.html5rocks.com/en/tutorials/security/content-security-policy/) Also we'd need to detect that we are in an external iframe before the page loads so we can set the headers to allow the correct external site (via init.php) Currently we set the headers after $session starts and before we enable the $USER object So we'd need to add something to detect that we are in an iframe on an external site and that site is allowed to do this. NOTE: some of our pages load in iframes themselves (via pieform submission) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1677068] Re: Move from X-Frame-Options to Content-Security-Policy
We'll need to map out what we can do since we have user generated content. Mahara already has a site config option to disallow external content. This should probably be wrapped into the CSP. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1677068 Title: Move from X-Frame-Options to Content-Security-Policy Status in Mahara: Confirmed Bug description: Currently one cannot embed Mahara within an iframe on third party site This is due to: X-Frame-Options = SAMEORIGIN (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) And we can't allow specific external sites to embed mahara in an iframe (well at least not for all major browsers) But good news there is: Content-Security-Policy (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Where we can specify which domains are allowed to show which things But bad news - to get it to work we'd need to do bad things in relation to inline javascript (see: https://www.html5rocks.com/en/tutorials/security/content-security-policy/) Also we'd need to detect that we are in an external iframe before the page loads so we can set the headers to allow the correct external site (via init.php) Currently we set the headers after $session starts and before we enable the $USER object So we'd need to add something to detect that we are in an iframe on an external site and that site is allowed to do this. NOTE: some of our pages load in iframes themselves (via pieform submission) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1677068] Re: Move from X-Frame-Options to Content-Security-Policy
** Changed in: mahara Assignee: Cecilia Vela Gurovic (ceciliavg) => (unassigned) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1677068 Title: Move from X-Frame-Options to Content-Security-Policy Status in Mahara: Confirmed Bug description: Currently one cannot embed Mahara within an iframe on third party site This is due to: X-Frame-Options = SAMEORIGIN (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) And we can't allow specific external sites to embed mahara in an iframe (well at least not for all major browsers) But good news there is: Content-Security-Policy (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Where we can specify which domains are allowed to show which things But bad news - to get it to work we'd need to do bad things in relation to inline javascript (see: https://www.html5rocks.com/en/tutorials/security/content-security-policy/) Also we'd need to detect that we are in an external iframe before the page loads so we can set the headers to allow the correct external site (via init.php) Currently we set the headers after $session starts and before we enable the $USER object So we'd need to add something to detect that we are in an iframe on an external site and that site is allowed to do this. NOTE: some of our pages load in iframes themselves (via pieform submission) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1677068] Re: Move from X-Frame-Options to Content-Security-Policy
** Changed in: mahara Assignee: (unassigned) => Cecilia Vela Gurovic (ceciliavg) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1677068 Title: Move from X-Frame-Options to Content-Security-Policy Status in Mahara: Confirmed Bug description: Currently one cannot embed Mahara within an iframe on third party site This is due to: X-Frame-Options = SAMEORIGIN (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) And we can't allow specific external sites to embed mahara in an iframe (well at least not for all major browsers) But good news there is: Content-Security-Policy (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Where we can specify which domains are allowed to show which things But bad news - to get it to work we'd need to do bad things in relation to inline javascript (see: https://www.html5rocks.com/en/tutorials/security/content-security-policy/) Also we'd need to detect that we are in an external iframe before the page loads so we can set the headers to allow the correct external site (via init.php) Currently we set the headers after $session starts and before we enable the $USER object So we'd need to add something to detect that we are in an iframe on an external site and that site is allowed to do this. NOTE: some of our pages load in iframes themselves (via pieform submission) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1677068] Re: Move from X-Frame-Options to Content-Security-Policy
** Changed in: mahara Milestone: 18.04.0 => 18.10.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1677068 Title: Move from X-Frame-Options to Content-Security-Policy Status in Mahara: Confirmed Bug description: Currently one cannot embed Mahara within an iframe on third party site This is due to: X-Frame-Options = SAMEORIGIN (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) And we can't allow specific external sites to embed mahara in an iframe (well at least not for all major browsers) But good news there is: Content-Security-Policy (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Where we can specify which domains are allowed to show which things But bad news - to get it to work we'd need to do bad things in relation to inline javascript (see: https://www.html5rocks.com/en/tutorials/security/content-security-policy/) Also we'd need to detect that we are in an external iframe before the page loads so we can set the headers to allow the correct external site (via init.php) Currently we set the headers after $session starts and before we enable the $USER object So we'd need to add something to detect that we are in an iframe on an external site and that site is allowed to do this. NOTE: some of our pages load in iframes themselves (via pieform submission) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1677068] Re: Move from X-Frame-Options to Content-Security-Policy
** Changed in: mahara Milestone: 17.10.0 => 18.04.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1677068 Title: Move from X-Frame-Options to Content-Security-Policy Status in Mahara: Confirmed Bug description: Currently one cannot embed Mahara within an iframe on third party site This is due to: X-Frame-Options = SAMEORIGIN (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) And we can't allow specific external sites to embed mahara in an iframe (well at least not for all major browsers) But good news there is: Content-Security-Policy (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Where we can specify which domains are allowed to show which things But bad news - to get it to work we'd need to do bad things in relation to inline javascript (see: https://www.html5rocks.com/en/tutorials/security/content-security-policy/) Also we'd need to detect that we are in an external iframe before the page loads so we can set the headers to allow the correct external site (via init.php) Currently we set the headers after $session starts and before we enable the $USER object So we'd need to add something to detect that we are in an iframe on an external site and that site is allowed to do this. NOTE: some of our pages load in iframes themselves (via pieform submission) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1677068] Re: Move from X-Frame-Options to Content-Security-Policy
** Changed in: mahara Status: New => Confirmed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1677068 Title: Move from X-Frame-Options to Content-Security-Policy Status in Mahara: Confirmed Bug description: Currently one cannot embed Mahara within an iframe on third party site This is due to: X-Frame-Options = SAMEORIGIN (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) And we can't allow specific external sites to embed mahara in an iframe (well at least not for all major browsers) But good news there is: Content-Security-Policy (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) Where we can specify which domains are allowed to show which things But bad news - to get it to work we'd need to do bad things in relation to inline javascript (see: https://www.html5rocks.com/en/tutorials/security/content-security-policy/) Also we'd need to detect that we are in an external iframe before the page loads so we can set the headers to allow the correct external site (via init.php) Currently we set the headers after $session starts and before we enable the $USER object So we'd need to add something to detect that we are in an iframe on an external site and that site is allowed to do this. NOTE: some of our pages load in iframes themselves (via pieform submission) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp