056151cc70
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Although many pages within Horizon leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Reference: http://tinyurl.com/anticlickjack Change-Id: Ibd7acd0d7b4c4d58afcd59f025735bfc9e4c2957 Closes-Bug: 1461154 |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| context_selection.py | ||