[CWD-4595] Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Medium
Resolution: Fixed
Affects Version/s: 2.8.3
Fix Version/s: 2.9.1
Component/s: Core features
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Crowd is vulnerable to Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name.

This issue can be addressed by using the X-Frame-Options header and or through the CSP frame-ancestors directive. When fixing this issue we need to ensure that resources that need to be able to be framed are still allowed to be framed, e.g. gadget resources.

Attachments

Issue Links

is depended on by: SCT-1150 Loading...

mentioned in: Page Loading...

Activity

People

Assignee:: Diego Berrueta

Reporter:: David Black

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 06/Jan/2016 1:16 AM

Updated:: 15/Aug/2019 7:05 AM

Resolved:: 23/Feb/2016 10:13 AM