I think all websites of *.drupal.org should have the no frame option in the header to prevent sites abusing the content and injecting framed ads.

More information on this header can be found at https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Comments

frankschaap’s picture

x-frame-options is deprecated.

Content Security Policy is the recommended W3C way of preventing your site being framed. CSP is already quite well supported.

These directives can be used together, as the CSP spec defines that the x-frame-options settings should be ignored by the client when content-security-policy directives are found.

bertboerland’s picture

Title: Add x no frame headers on webservers » Add "Content-Security-Policy-Report-Only:" header on webservers
bertboerland’s picture

thanks frank, changed title.

Content-Security-Policy-Report-Only: default-src 'self'; report-uri
could be added on the headers of all *.d.o servers and domains

basic’s picture

I think we want this header set, if we set this:

    set beresp.http.Content-Security-Policy = "default-src 'self'";

We don't have an endpoint that would know what to do with the report-uri, but setting this policy would prevent other sites from framing d.o. Thoughts?

bertboerland’s picture

current headers read

< HTTP/2 301
< server: nginx
< content-type: text/html; charset=iso-8859-1
< location: https://www.drupal.org/
< cache-control: no-cache, must-revalidate, post-check=0, pre-check=0
< via: 1.1 varnish, 1.1 varnish
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< content-security-policy: frame-ancestors 'self'
< permissions-policy: interest-cohort=()
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< accept-ranges: bytes
< date: Wed, 06 Jul 2022 19:38:31 GMT
< age: 4
< x-served-by: cache-sea4443-SEA, cache-ams21082-AMS
< x-cache: HIT, HIT
< x-cache-hits: 1, 1
< x-timer: S1657136312.551138,VS0,VE1
< content-length: 231

bertboerland’s picture

Status: Active » Closed (outdated)