Fossil SCM

Change X-Frame-Options to SAMEORIGIN to give reasonable click-jacking protection without blocking some client side scripting currently in use by some fossil users.

ben 2011-08-10 15:54 trunk

Commit b968f023a88a6af5c7bcb6e499c42e3173a8e32e

Parent 303dd442feb8202…

1 file changed +1 -1

~ src/cgi.c

M src/cgi.c

+1 -1

		--- src/cgi.c
		+++ src/cgi.c
		@@ -295,11 +295,11 @@
295	295	if( blob_size(&extraHeader)>0 ){
296	296	fprintf(g.httpOut, "%s", blob_buffer(&extraHeader));
297	297	}
298	298
299	299	/* Add headers to turn on useful security options in browsers. */
300		- fprintf(g.httpOut, "X-Frame-Options: DENY\r\n");
	300	+ fprintf(g.httpOut, "X-Frame-Options: SAMEORIGIN\r\n");
301	301	/* This stops fossil pages appearing in frames or iframes, preventing
302	302	** click-jacking attacks on supporting browsers.
303	303	**
304	304	** Other good headers would be
305	305	** Strict-Transport-Security: max-age=62208000
306	306

	--- src/cgi.c
	+++ src/cgi.c
	@@ -295,11 +295,11 @@
295	if( blob_size(&extraHeader)>0 ){
296	fprintf(g.httpOut, "%s", blob_buffer(&extraHeader));
297	}
298
299	/* Add headers to turn on useful security options in browsers. */
300	fprintf(g.httpOut, "X-Frame-Options: DENY\r\n");
301	/* This stops fossil pages appearing in frames or iframes, preventing
302	** click-jacking attacks on supporting browsers.
303	**
304	** Other good headers would be
305	** Strict-Transport-Security: max-age=62208000
306

	--- src/cgi.c
	+++ src/cgi.c
	@@ -295,11 +295,11 @@
295	if( blob_size(&extraHeader)>0 ){
296	fprintf(g.httpOut, "%s", blob_buffer(&extraHeader));
297	}
298
299	/* Add headers to turn on useful security options in browsers. */
300	fprintf(g.httpOut, "X-Frame-Options: SAMEORIGIN\r\n");
301	/* This stops fossil pages appearing in frames or iframes, preventing
302	** click-jacking attacks on supporting browsers.
303	**
304	** Other good headers would be
305	** Strict-Transport-Security: max-age=62208000
306

Fossil SCM

Keyboard Shortcuts