Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-4595

Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection

    XMLWordPrintable

    Details

      Description

      Crowd is vulnerable to Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name.

      This issue can be addressed by using the X-Frame-Options header and or through the CSP frame-ancestors directive. When fixing this issue we need to ensure that resources that need to be able to be framed are still allowed to be framed, e.g. gadget resources.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dberrueta Diego Berrueta
              Reporter:
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: