You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by Gabrielle Crawford <ga...@oracle.com> on 2011/11/22 02:18:57 UTC

[Trinidad] add framebusting support, param default not backward compatible.

Hi all,

I am proposing to implement "frame busting" in trinidad to prevent clickjacking attacks, the details are here:

https://issues.apache.org/jira/browse/TRINIDAD-2169

This includes a new web.xml parameter, described in the issue above.

I'd like to point out that the default value I'm proposing would NOT be backward compatible, but we should default to something secure so I believe this is an exception.

Please review.

Thanks,

Gabrielle

Re: [Trinidad] add framebusting support, param default not backward compatible.

Posted by Gabrielle Crawford <ga...@oracle.com>.

I have attached a patch with the proposed fix to the issue.

On 11/21/2011 5:18 PM, Gabrielle Crawford wrote:
> Hi all,
>
> I am proposing to implement "frame busting" in trinidad to prevent clickjacking attacks, the details are here:
>
> https://issues.apache.org/jira/browse/TRINIDAD-2169
>
> This includes a new web.xml parameter, described in the issue above.
>
> I'd like to point out that the default value I'm proposing would NOT be backward compatible, but we should default to something secure so I believe this is an exception.
>
> Please review.
>
> Thanks,
>
> Gabrielle