sbassett added a comment.
In T329121#8620995 <https://phabricator.wikimedia.org/T329121#8620995>, @ItamarWMDE wrote: > Unfortunately, it seems like we cannot do this as these headers were requested by the WMF security team it seems. In addition, this might expose us to some forms of clickjacking <https://owasp.org/www-community/attacks/Clickjacking> attacks, where other embedding sites will be able to steal some information from the embedded page. This is all correct, and why we'd discourage a revert of the status quo or, at the very least, likely rate it as at least a {icon exclamation-triangle color=yellow} **medium risk**. > We might be able to try and set a `Content-Security-Policy` header with a `frame-ancestors` directive set to the domain of the MOOC. But I would still defer to advice from the WMF Security Team (tagging @sbassett here since they are the only contact I have in the team so far) This is likely feasible, if it doesn't interfere with any potential `X-Frame-Options: deny` headers, and if the source list is kept to a minimum of //absolutely necessary// URLs that the #security-team <https://phabricator.wikimedia.org/tag/security-team/> could review and assign any potential risk ratings. TASK DETAIL https://phabricator.wikimedia.org/T329121 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, ItamarWMDE, Lucas_Werkmeister_WMDE, mickeybarber, Envlh, Aklapper, Astuthiodit_1, karapayneWMDE, Invadibot, Devnull, maantietaja, Akuckartz, Michael, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Grunny, csteipp, Mbch331, Jay8g, Krenair
_______________________________________________ Wikidata-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
