Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I think all websites of *.drupal.org should have the no frame option in the header to prevent sites abusing the content and injecting framed ads.
More information on this header can be found at https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Comments
Comment #1
frankschaap CreditAttribution: frankschaap commentedx-frame-options is deprecated.
Content Security Policy is the recommended W3C way of preventing your site being framed. CSP is already quite well supported.
These directives can be used together, as the CSP spec defines that the x-frame-options settings should be ignored by the client when content-security-policy directives are found.
Comment #2
bertboerland CreditAttribution: bertboerland commentedComment #3
bertboerland CreditAttribution: bertboerland commentedthanks frank, changed title.
Content-Security-Policy-Report-Only: default-src 'self'; report-uri
could be added on the headers of all *.d.o servers and domains
Comment #4
basic CreditAttribution: basic at Drupal Association commentedI think we want this header set, if we set this:
We don't have an endpoint that would know what to do with the report-uri, but setting this policy would prevent other sites from framing d.o. Thoughts?
Comment #5
bertboerland CreditAttribution: bertboerland as a volunteer commentedcurrent headers read
< HTTP/2 301
< server: nginx
< content-type: text/html; charset=iso-8859-1
< location: https://www.drupal.org/
< cache-control: no-cache, must-revalidate, post-check=0, pre-check=0
< via: 1.1 varnish, 1.1 varnish
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< content-security-policy: frame-ancestors 'self'
< permissions-policy: interest-cohort=()
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< accept-ranges: bytes
< date: Wed, 06 Jul 2022 19:38:31 GMT
< age: 4
< x-served-by: cache-sea4443-SEA, cache-ams21082-AMS
< x-cache: HIT, HIT
< x-cache-hits: 1, 1
< x-timer: S1657136312.551138,VS0,VE1
< content-length: 231
Comment #6
bertboerland CreditAttribution: bertboerland as a volunteer commented