X-Frame-Options header in Admin returns an invalid value

Description

In OF-997, Admin was enhanced with clickjacking protection with X-Frame-Options header directive. This initially returned a value of "deny" but was updated to return "same".
This generates a console error in Chrome - the correct value is "sameorigin". Without this fix, Admin remains potentially vulnerable to clickjacking.

Environment

None

Activity

Show:
Dan Caseley
November 25, 2020, 2:58 PM

Work around: Add SAMEORIGIN to the adminConsole.frame-options property

Dan Caseley
November 25, 2020, 3:01 PM

Trivial fix is here:

Requires testing

Fixed

Assignee

Guus der Kinderen

Reporter

Dan Caseley

Labels

None

Expected Effort

None

Ignite Forum URL

None

Fix versions

Priority

Major
Configure