On 12/19/2017 1:32 AM, Torge Riedel wrote:
I created a temporary dev env of Trac 1.2.2 with the patch of Jun applied. I
have configured the following headers in trac.ini:
[http-headers]
...
Is there a chance to get this in a Trac 1.2.3? I recommend setting the headers
above in a default trac.ini created by trac-admin initenv.
Content-Security-Policy = frame-ancestors 'none'; default-src 'none'; img-src
'self'; script-src 'self'; style-src 'self'; base-uri 'self'
frame-ancestors:
Should be 'self'. The same reason for X-Frame-Options.
Referrer-Policy = no-referrer
Should be same-origin by default. Trac core and several plugins use Referer
header.
Strict-Transport-Security = max-age=31536000; includeSubDomains
Shouldn't use by default. All Trac sites don't run on HTTPS.
Also, includeSubDomains should be used only when subdomain(s) are used.
It it hard to reset the "includeSubDomains" behavior on user's browser when
configuration is wrong.
X-Frame-Options = DENY
Should be SAMEORIGIN by default. Trac core and several plugins create iframe
elements via javascript.
X-Content-Type-Options = nosniff
X-XSS-Protection = 1; mode=block
No problem by default.
--
Jun Omae <jun6...@gmail.com> (大前 潤)
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to trac-dev+unsubscr...@googlegroups.com.
To post to this group, send email to trac-dev@googlegroups.com.
Visit this group at https://groups.google.com/group/trac-dev.
For more options, visit https://groups.google.com/d/optout.
