Bug 213499
| Summary: | Unable to see patch contents in Details iframe due to X-Frame-Options: SAMEORIGIN | ||
|---|---|---|---|
| Product: | Services | Reporter: | VK <vlad-fbsd> |
| Component: | Bug Tracker | Assignee: | Peter Wemm <peter> |
| Status: | Closed FIXED | ||
| Severity: | Affects Many People | CC: | bugmeister, clusteradm, mmokhi, peter |
| Priority: | --- | Keywords: | feature, regression |
| Version: | unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
VK
2016-10-15 08:37:14 UTC
Thanks for the report, I'll look into this right away. Setting the ALLOW-FROM does appear to make both Firefox and Chrome show the contents when clicking the 'Details' button. Can you confirm that basic functionality is restored? We don't set a CSP on either of those addresses. Chrome's console is quite angry about the state of things but appears to "work" in spite of it. Clearly there's more work required there - it is complaining about allow-scripts as well. I'll leave this marked as in-progress and look at it more today. Yes I can confirm, both Chromium and Firefox now show attachment contents. It appears that Content-Security-Policy is now preferred over X-Frame-Options when an "allow" policy is to be set: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy That, instead of X-Frame-Options should keep the intended protection in both browsers and quiet the Chromium console. Right now it "works" in Chromium in that there's no understood policy, so it's implicitly allowed. Is there anything else to be done with this? I see it's working just fine since it was fixed back in November. (In reply to Vladimir Krstulja from comment #4) I guess it's done. need peter@ to confirm it though :D Peter, can we close this? Seems everything is working just fine. I believe that this can be closed. |
