[wp-trac] [WordPress Trac] #47440: add_header X-Frame-Options
WordPress Trac
noreply at wordpress.org
Fri May 31 01:43:03 UTC 2019
#47440: add_header X-Frame-Options
-------------------------------+------------------------------
Reporter: sudoranger | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.2.1
Severity: normal | Resolution:
Keywords: 2nd-opinion close | Focuses:
-------------------------------+------------------------------
Changes (by dd32):
* keywords: needs-design-feedback => 2nd-opinion close
Comment:
Iframes have valid use-cases, and as a result using `X-Frame-Options:
SAMEORIGIN` when it's expected an application is using them isn't going to
severely reduce security.
Using `X-Frame-Options: DENY` I believe will also block the WordPress page
embeds (ie. embedding your blog post preview onto another WordPress site).
Additionally, WordPress already sends a `X-Frame-Options: SAMEORIGIN`
header for Login/Admin requests - #12293
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47440#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list