This repository has been archived by the owner on Dec 11, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 975
[HackerOne] about: pages may be clickjacked #4885
Comments
bbondy
pushed a commit
that referenced
this issue
Oct 18, 2016
Fix #4885 Auditors: @bbondy Test Plan: 1. go to http://web.mit.edu/zyan/Public/xframe.html 2. verify that the iframe is empty and there is a CSP error in the console
This fix disables a flash placeholder on y8.com, which was also confirmed by @alexwykoff and @srirambv. Please look at the 2nd line there. |
great catch, fixing |
no easy fix for 0.12.5 so this is being moved to 0.12.6. |
This was referenced Oct 20, 2016
@bbondy did this make it into the preview build? |
looks like it didn't, but it should be fixed on master so i'm closing this |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
they should have the frame-ancestors header
reported at https://hackerone.com/reports/175990
The text was updated successfully, but these errors were encountered: