Security: Enable iframe buster on all pages, except Widgets
|Reported by:||matt||Owned by:|
|Priority:||normal||Milestone:||1.7 Piwik 1.7|
- Consider extending click jacking http://dev.piwik.org/trac/changeset/4451#file0 and http://piwik.org/faq/how-to/#faq_92 to all pages, including: Email reports, API page.
- Also, can we remove token_auth from all rendered piwik pages?
When report is iframed, and the token_auth is NOT specified, it would be nice if the token_auth was NOT displayed at all in no page. This would prevent clickjack even further.
Change History (10)
comment:7 Changed 2 years ago by matt (mattab)
- Resolution set to fixed
- Status changed from new to closed
comment:8 Changed 2 years ago by matt (mattab)
- Summary changed from Consider iframe buster to all pages, including widgets to Enable iframe buster on all pages, except Widgets