Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking…

Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking with SVG or XHTML attachments r/a=justdave

Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking…
ca7b39aa · Frédéric Buclin · d51abfd7 · ca7b39aa · ca7b39aa
Commit ca7b39aa authored Mar 12, 2014 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

edit.html.tmpl template/en/default/attachment/edit.html.tmpl +1 -1

show-multiple.html.tmpl template/en/default/attachment/show-multiple.html.tmpl +1 -1

No files found.
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -197,7 +197,7 @@
                 readonly = 'readonly'
              %]
            [% ELSE %]
-              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
+              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
                <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
                <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
              </iframe>

--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -78,7 +78,7 @@
         classes = 'viewall_frame'
      %]
    [% ELSE %]
-      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
        <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
        <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
      </iframe>