[koha-commits] main Koha release repository branch master updated. v3.22.00-1138-g6efa491
Git repo owner
gitmaster at git.koha-community.org
Wed Apr 20 17:58:02 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 6efa491d1b2f92fa407aa49c7b678f9b642fc83f (commit)
via d496d03e8aa3079e0d29837b27b31b9a55afd02e (commit)
from 98f551faec2627742b0b1d5b72e1791b4451b401 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6efa491d1b2f92fa407aa49c7b678f9b642fc83f
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Apr 8 10:04:20 2016 +0100
[SIGNED-OFF] Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places
The login page should not be displayed if the page is displayed in a
frame.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Brendan Gallagher <bredan at bywatersolutions.com>
commit d496d03e8aa3079e0d29837b27b31b9a55afd02e
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Apr 8 10:03:24 2016 +0100
[SIGNED-OFF] Bug 16210: Revert OPAC changes from Bug 15111
This patch reverts the changes made at the OPAC from the following
patches:
Do not include the antiClickjack legacy browser trick for greybox"
Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe.
Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df.
Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929.
Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8 March 2008
Opera 10.5 March 2010
Safari 4 February 2009
Chrome 4.1.… somewhen 2010
Test plan:
Confirm that there are no regression of bug 15111 with modern browsers
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Brendan Gallagher <bredan at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Auth.pm | 16 ++++++++++------
.../opac-tmpl/bootstrap/en/includes/doc-head-close.inc | 14 --------------
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt | 2 +-
3 files changed, 11 insertions(+), 21 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list