Commit ca7b39aa authored by Frédéric Buclin's avatar Frédéric Buclin

Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking…

Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking with SVG or XHTML attachments r/a=justdave
parent d51abfd7
......@@ -197,7 +197,7 @@
readonly = 'readonly'
%]
[% ELSE %]
<iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
<iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
<a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
</iframe>
......
......@@ -78,7 +78,7 @@
classes = 'viewall_frame'
%]
[% ELSE %]
<iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
<iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
<b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
<a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
</iframe>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment