Joomla! Issue Tracker | Joomla! CMS #28066 - [4.0] Add clickjacking protection frame-ancestors to the CSP tooling

? ? ?

Fixed in Code Base
3 Mar 2020
Medium
Build: 4.0-dev
# 28066
Diff
zero-24:frame-ancestors

Pending

Pending Hound Hound is busy sniffing around... Details

User tests: Successful: Unsuccessful:

zero-24
24 Feb 2020

Summary of Changes

Add clickjacking protection frame-ancestors to the CSP tooling. cc @SniperSister

Testing Instructions

Apply this patch
go to System -> Content Security Policy -> Options
enable Content Security Policy
enable report only mode
enable the auto or custom mode of the csp.
save.
open the frontend
check the browser console
set an individual frame-ancestors directive. Example:
make sure only your directive is added to the header.

Expected result

Actual result

you have to manually set the frame-ancestors

Documentation Changes Required

This new option has to be documented here: https://docs.joomla.org/J4.x:Http_Header_Management. Will do this after the merge.

170aed8 24 Feb 2020

add frame-ancestors "self" option to the auto csp

ce803fb 24 Feb 2020

fix some edge cases and make sure it works correctly

a03939b 24 Feb 2020

add language strings

3d4ce3e 24 Feb 2020

add note for the TT's

b570113 24 Feb 2020

move adding of the frame-ancestors directive

13301a2 24 Feb 2020

remove inline comment

zero-24 - open - 24 Feb 2020

zero-24 - change - 24 Feb 2020

Status

New

⇒

Pending

joomla-cms-bot - change - 24 Feb 2020

Category

⇒

Administration com_csp Language & Strings Front End Plugins

blueforce - comment - 29 Feb 2020

Just one thing:

Steps to reproduce:

set the CSP Mode to custom
add directive
add 2nd directive
try delete all direvtives...

Expect result: all directives are deleted
Actual result: I can delete all, until one directive (first) still remain. I can't delete it.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28066.}

blueforce - test_item - 29 Feb 2020 - Tested unsuccessfully

zero-24 - comment - 29 Feb 2020

@blueforce This seams to be a limitation of the subform field. As you can see by testing before the patch the same issue is there before this patch. When this is the only issue please mark your test here than successful and open an new issue so someone with JS skills can take a look into the subform issue. Thanks!

blueforce - comment - 1 Mar 2020

I have tested this item ✅ successfully on 13301a2

New Bug reported #28171

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28066.}

blueforce - test_item - 1 Mar 2020 - Tested successfully

jwaisner - comment - 2 Mar 2020

I have tested this item ✅ successfully on 13301a2

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28066.}

jwaisner - comment - 2 Mar 2020

I have tested this item ✅ successfully on 13301a2

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28066.}

jwaisner - test_item - 2 Mar 2020 - Tested successfully

jwaisner - change - 2 Mar 2020

Status

Pending

⇒

Ready to Commit

jwaisner - comment - 2 Mar 2020

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28066.}

wilsonge - change - 3 Mar 2020

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2020-03-03 11:02:06
Closed_By		⇒	wilsonge
Labels	Added: ? ? ?

wilsonge - close - 3 Mar 2020

wilsonge - merge - 3 Mar 2020

wilsonge - comment - 3 Mar 2020

Thanks!

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#28066] - [4.0] Add clickjacking protection frame-ancestors to the CSP tooling

Summary of Changes

Testing Instructions

Expected result

Actual result

Documentation Changes Required

Add a Comment