[wp-trac] [WordPress Trac] #47440: add_header X-Frame-Options
WordPress Trac
noreply at wordpress.org
Fri May 31 01:34:16 UTC 2019
#47440: add_header X-Frame-Options
-------------------------+-----------------------------------
Reporter: sudoranger | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.2.1
Severity: normal | Keywords: needs-design-feedback
Focuses: |
-------------------------+-----------------------------------
Hello.
Today, I came across an issue. I'm using Nginx webserver and this on my
configuration.
add_header X-Frame-Options DENY;
This is the recommended setting to secure Nginx for click hijacking. More
information can be found here https://www.keycdn.com/blog/x-frame-options
There are three settings for X-Frame-Options:
SAMEORIGIN: This setting will allow the page to be displayed in a frame on
the same origin as the page itself.
DENY: This setting will prevent a page displaying in a frame or iframe.
ALLOW-FROM URI: This setting will allow a page to be displayed only on the
specified origin.
For your information, WordPress themes and plugins page:
1. Appearance > Themes > Add New
2. Plugins > Add New
are currently using frames to pull the information from wordpress.org so
this will end up showing "Connection Refused" unless I changed the setting
to add_header X-Frame-Options SAMEORIGIN;
I would like to request WordPress team to change this behavior to use
other methods than frame to show this "external" web site in the
administration page. This is a very bad experience in terms of UX and
security-design unless you can convince me otherwise that denying x-frame-
options isn't a big deal. In my normal nginx setup, I usually use DENY to
improve my unwanted experience to the end users from malicious scripts.
Thank you.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47440>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list