sergix44
Prevent clickjacking attack
.htaccess updated to prevent iframes working with XBackBone installations.
Issue raised on https://github.com/sergix44/XBackBone/issues/432
I remember doing some research, but some people use XBB as a cdn, so there are cases where iframes are actually a wanted feature. Also, this would only "fix" installations behind apache, not nginx or other web servers, and requires mod_headers to be enabled, otherwise a 500 is raised. Since this problem is not really application dependent, but rather deployment/use-case/webserver dependent, I don't feel comfortable merging this. It's possible having a middleware that set that header behind a feature flag maybe 🤔
Could potentially do what VaultWarden currently does for Iframes to fix this issue and that is an configurable option to choose allowed iframe ancestors and allowed connect-src. Maybe there could also be an option to define which domains can use iframes
More info (explanation from VaultWarden): [allowed_iframe_ancestors] Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets. [allowed_connect_src] Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
This would fix the clickjacking attack while still allowing XBackBone admins to use iframes if they so which.
