AW: Security Tracker Frame Options Header
Hi Paul,
thank you for this information. I've worked around this by using Netscape which even in its newest version does not support this header but displays the page correctly, thus allowing me to do what I wanted to do. But I have to say that subscribing is the better option, though I can't figure out what "nnn" stands for. A number? I've tried to email this addresses but they report inexistent: "CVE-2017-5753-subscribe@bugs.debian.org", "CVE-2017-5715-subscribe@bugs.debian.org", "CVE-2017-5754-subscribe@bugs.debian.org"
What is "nnn" and where do I find it?
Thanks, Mattia
-----Ursprüngliche Nachricht-----
Von: paul.is.wise@gmail.com [mailto:paul.is.wise@gmail.com] Im Auftrag von Paul Wise
Gesendet: Samstag, 13. Januar 2018 04:21
An: Mattia Dorigatti | Brandnamic <mattia.dorigatti@brandnamic.com>
Cc: debian-security-tracker@lists.debian.org
Betreff: Re: Security Tracker Frame Options Header
On Fri, Jan 12, 2018 at 4:59 PM, Mattia Dorigatti wrote:
> I have a question. Why do the security tracker sites have the X-Frame-Options:sameorigin header set? Because I've wanted to keep an eye on some CVEs I've created a simple html site with three iframes and the refresh meta tag so that I could put it on an extra monitor and have a look at the status. But I can't do that if that header is set. Why is this and can it be changed?
All debian.org hosts use this header where possible. As you can see in the Mozilla documentation, it is used to prevent clickjacking attacks as well as hosts passing off content as their own, so I'm not sure it is a good idea to disable it. I think it might be best for you to use a browser extension to achieve the autorefresh and open a window for each CVE. You could also just subscribe to the Debian bug mail for each bug associated with the CVEs you are interested in.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://www.debian.org/Bugs/Developer#subscribe
--
bye,
pabs
https://wiki.debian.org/PaulWise
Reply to: