Bug #54201
closed
Epic #55070: Workpackages
Epic #55066: WP: Security enhancements
Implement Clickjacking Protection
100%
Description
- Send
X-Frame-Optionsheaders (X-Frame-Options: SAMEORIGIN) in the backend by default- Find an appropriate place where to send these headers
- Add TYPO3_CONF_VARS configuration to disable it
- Provide possibility to disable this protection if not needed/ wanted.
- Coordinate with SecurityGuide writers to mention Webserver configuration for FE (no PHP implementation for frontend requests)
JS snippet to reveal body tag only when iframe included in correct parent url is not needed, as browsers supported by TYPO3 6.2 (Chrome, Safari, FF, IE >7) have support for X-Frame-Options
Updated by Helmut Hummel over 10 years ago
- Project changed from 1716 to TYPO3 Core
Updated by Helmut Hummel over 10 years ago
- Target version set to 6.2.0
- Is Regression set to No
Updated by Helmut Hummel over 10 years ago
- Status changed from New to Accepted
- Priority changed from Should have to Could have
Updated by
Updated by Helmut Hummel about 10 years ago
- Estimated time set to 12.00 h
Helmut Hummel wrote:
X-Frame-Options headers
JS snippet to reveal body tag only when iframe included in correct parent url (find reference implementation)
Updated by Gerrit Code Review about 10 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28601
Updated by Gerrit Code Review about 10 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28601
Updated by Helmut Hummel about 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 517efee327b8fc4f0203bd437eca90bdbaf5d05d.
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed