Add X-Frame-Options for all response
5284053c0e30
Actions

Authored by Jason Ge <jungejason@fb.com> on Sep 14 2011, 01:38.

Description

Add X-Frame-Options for all response

Summary:
we use to only add X-Frame-Options for AphrontWebpageResponse.
There some security concern about it. Example of a drag-drop attack:
http://sites.google.com/site/tentacoloviola/. The fix is to add it to
all AphrontResponse.

Test Plan:
View page which disalble this option still works (like the
xhpast tree page); verify that the AphrontAjaxResponse contains the
X-Frame-Options in the header.

Reviewers: epriestley, benmathews

Reviewed By: epriestley

CC: nh, aran, jungejason, epriestley

Differential Revision: 926

Details

Committed

Jason Ge <jungejason@fb.com>

Sep 14 2011, 19:43

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH2f218ac745d5: Provide more thorough defaults in the configuration guide template

Branches

Unknown

Tags

Unknown

Event Timeline

Jason Ge <jungejason@fb.com> committed rPH5284053c0e30: Add X-Frame-Options for all response (authored by Jason Ge <jungejason@fb.com>).Sep 14 2011, 19:43

Changes (5)

				Path
	M			src/aphront/response/ajax/AphrontAjaxResponse.php
	M			src/aphront/response/base/AphrontResponse.php
	M			src/aphront/response/file/AphrontFileResponse.php
	M			src/aphront/response/redirect/AphrontRedirectResponse.php
	M			src/aphront/response/webpage/AphrontWebpageResponse.php