8400 – Security scanners complain about missing iframe headers

Bug 8400 - Security scanners complain about missing iframe headers

Summary: Security scanners complain about missing iframe headers

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	LowPrio
Assignee:	Bugzilla mail exporter

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-07-25 16:14 CEST by Pierre Ossman
Modified:	2024-08-13 13:31 CEST (History)
CC List:	0 users

See Also:	8319 5231 8191
Acceptance Criteria:

Attachments
Nessus screenshot (831.87 KB, image/png) 2024-07-25 16:14 CEST, Pierre Ossman	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2024-07-25 16:14:11 CEST

Created attachment 1220 [details]
Nessus screenshot

Nessus is at it again and complains if a web server doesn't set X-Frame-Options or Content-Security-Policy. This provides protection against clickjacking on sites that maintain a login (e.g. using session cookies).

Since we don't maintain logins, there is nothing to protect in ThinLinc by adding these.

But users still want to avoid having warnings from Nessus, so it would be good if we could include those headers.

Comment 1 Pierre Ossman cendio

2024-07-25 16:15:34 CEST

Note that adding such headers would prevent embedding Web Access or Web Admin, so we need to consider bug 5231 and bug 8191 as well.

Note You need to log in before you can comment on or make changes to this bug.