Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#5931 closed Bug (duplicate)

please, protect web-ui against Clickjacking-attacks

Reported by: plm___ Owned by:
Priority: Normal Milestone: None Set
Component: Web Client Version: 2.84
Severity: Normal Keywords:


good day!

XSS, CSRF and Clickjacking -- it is three most used web-vulnerability at this day (in internet).

and today, web-ui ( http://localhost:9091/transmission/web/ ) -- not protected from Clickjacking-attacks ..

Clickjacking -- it is not very seriously vulnerability -- but still is joylessly :-( ..

please, add just only one new HTTP-Header to server http://localhost:9091/ :

Content-Security-Policy: "frame-ancestors 'self'"

this HTTP-Header will be enough against Clickjacking

thanks in advance! :)

Attachments (1)

Screenshot from 2015-04-21 19-21-59.png (81.5 KB) - added by plm___ 6 years ago.

Download all attachments as: .zip

Change History (3)

Changed 6 years ago by plm___

comment:1 Changed 6 years ago by mike.dld

  • Resolution set to duplicate
  • Status changed from new to closed

Looks like duplicate of #5894, which suggests to add Content-Security-Policy: ... frame-ancestors 'none' header. Let's continue the discussion there.

comment:2 Changed 6 years ago by plm___

thanks for suggesting about ticket #5894 !

I could not found ticket #5894 -- because it not include word "Clickjacking" , and because #5894 it is "new Enhancement" (not a bug)

... frame-ancestors 'none' -- it is very good! :)

Note: See TracTickets for help on using tickets.