Prevent clickjacking attack#624
Conversation
Add optional code param in upload request
Bumps [twig/twig](https://github.com/twigphp/Twig) from 2.16.0 to 2.16.1. - [Changelog](https://github.com/twigphp/Twig/blob/v2.16.1/CHANGELOG) - [Commits](twigphp/Twig@v2.16.0...v2.16.1) --- updated-dependencies: - dependency-name: twig/twig dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
enable custom sender via 'app_email' in the config.php
…g/twig-2.16.1 Bump twig/twig from 2.16.0 to 2.16.1
Currently translated at 99.3% (161 of 162 strings) Translation: XBackBone/XBackBone Translate-URL: https://hosted.weblate.org/projects/xbackbone/xbackbone/sr/
Translations update from Hosted Weblate
Bumps [bootstrap](https://github.com/twbs/bootstrap) from 4.6.1 to 5.0.0. - [Release notes](https://github.com/twbs/bootstrap/releases) - [Commits](twbs/bootstrap@v4.6.1...v5.0.0) --- updated-dependencies: - dependency-name: bootstrap dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [twig/twig](https://github.com/twigphp/Twig) from 2.16.1 to 3.11.2. - [Changelog](https://github.com/twigphp/Twig/blob/v3.11.2/CHANGELOG) - [Commits](twigphp/Twig@v2.16.1...v3.11.2) --- updated-dependencies: - dependency-name: twig/twig dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…g/twig-3.11.2 Bump twig/twig from 2.16.1 to 3.11.2
Exporting ShareX settings now work for the latest version of ShareX 16.1.0. "unsupported custom uploader" Error Fix
Exporting ShareX Settings Fix
Add an app_email option to the config
[ci skip] [skip ci]
Apply fixes from StyleCI
…/bootstrap-5.0.0 Bump bootstrap from 4.6.1 to 5.0.0
…omposer/twig/twig-3.11.2 Revert "Bump twig/twig from 2.16.1 to 3.11.2"
Bumps [twig/twig](https://github.com/twigphp/Twig) from 2.16.1 to 3.11.2. - [Changelog](https://github.com/twigphp/Twig/blob/3.x/CHANGELOG) - [Commits](twigphp/Twig@v2.16.1...v3.11.2) --- updated-dependencies: - dependency-name: twig/twig dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…g/twig-3.11.2 Bump twig/twig from 2.16.1 to 3.11.2
Currently translated at 100.0% (162 of 162 strings) Translation: XBackBone/XBackBone Translate-URL: https://hosted.weblate.org/projects/xbackbone/xbackbone/ru/
Currently translated at 100.0% (162 of 162 strings) Translation: XBackBone/XBackBone Translate-URL: https://hosted.weblate.org/projects/xbackbone/xbackbone/ta/
Currently translated at 100.0% (162 of 162 strings) Translation: XBackBone/XBackBone Translate-URL: https://hosted.weblate.org/projects/xbackbone/xbackbone/pt/
Currently translated at 99.3% (161 of 162 strings) Translation: XBackBone/XBackBone Translate-URL: https://hosted.weblate.org/projects/xbackbone/xbackbone/fi/
Currently translated at 100.0% (162 of 162 strings) Translation: XBackBone/XBackBone Translate-URL: https://hosted.weblate.org/projects/xbackbone/xbackbone/id/
Translations update from Hosted Weblate
|
I remember doing some research, but some people use XBB as a cdn, so there are cases where iframes are actually a wanted feature. Also, this would only "fix" installations behind apache, not nginx or other web servers, and requires mod_headers to be enabled, otherwise a 500 is raised. |
|
Could potentially do what VaultWarden currently does for Iframes to fix this issue and that is an configurable option to choose allowed iframe ancestors and allowed connect-src. Maybe there could also be an option to define which domains can use iframes More info (explanation from VaultWarden): This would fix the clickjacking attack while still allowing XBackBone admins to use iframes if they so which. |
10 participants
.htaccess updated to prevent iframes working with XBackBone installations.
Issue raised on #432