ItamarWMDE added a comment.
Unfortunately, it seems like we cannot do this as these headers were requested by the WMF security team it seems. In addition, this might expose us to some forms of clickjacking <https://owasp.org/www-community/attacks/Clickjacking> attacks, where other embedding sites will be able to steal some information from the embedded page. If we were able to limit the iframe to the domain of the mooc we might have had grounds to consider this. However, there is no longer an option to have an allow list of embedding origins, as this is deprecated from modern browsers <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#browser_compatibility>. We might be able to try and set a `Content-Security-Policy` header with a `frame-ancestors` directive set to the domain of the MOOC. But I would still defer to advice from the WMF Security Team. TASK DETAIL https://phabricator.wikimedia.org/T329121 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: ItamarWMDE Cc: ItamarWMDE, Lucas_Werkmeister_WMDE, mickeybarber, Envlh, Aklapper, Astuthiodit_1, karapayneWMDE, Invadibot, maantietaja, Akuckartz, Michael, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
_______________________________________________ Wikidata-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
