Hey there @bjoern
You’ve once posted this message:
Restricting use on iframes sometimes makes sense from a security perspective (cf. clickjacking). That said, I do not sufficiently understand the interplay of service workers and X-Frame-Options, that does not seem to be specified in general and may be the reason for the different observations in Safari and Chrome.
From which it seems like there was no initial intent to set the X-Frame-Origin header to Deny and this is some kind of misunderstanding within the team. Did you guys figured it out? Could you please ping someone who can elaborate on that?
It looks like clickjacking can still be performed, judging by this:
3cL1p5e7:
Point 1.raw ( https://CANISTER_ID.ic0.app ) in another tab (“warm up”), then this link starts to open in the IFrame of https://PARENT_CANISTER_ID.ic0.app .https://CANISTER_ID.ic0.app , the data is taken from the cache and the X-Frame-Origin: Deny header is absent (which does not interfere with the display in the iframe)
Thanks in advance!
1 Like