Bug 455502

Summary: Disallowed frame when viewing/editing attachments
Product: [Websites] bugs.kde.org Reporter: Alex <allo>
Component: generalAssignee: KDE sysadmins <sysadmin>
Status: RESOLVED FIXED    
Severity: normal CC: bcooksley, mysignup27, sheedy
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Other   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Alex 2022-06-17 17:46:41 UTC 
SUMMARY

When following an attachment link https://bugs.kde.org/attachment.cgi?id=XXXXXX&action=edit there is a frame, which tries to load data from a different subdomain, what seems to be forbidden by frameoptions and results in the error message:

Firefox Can’t Open This Page

To protect your security, bugsfiles.kde.org will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.
Comment 1 Ben Cooksley 2022-06-18 09:42:01 UTC 
Not ideal that Bugzilla has this functionality, as it means we have to remove that header from bugs.kde.org (and bugsfiles.kde.org in turn).

I've now made that change.
Comment 2 Alex 2022-06-18 10:01:52 UTC 
I am not sure what headers you had set, but I think the X-Frame-Options (or similar) is quite strict, but you can use CSP with frame-src to selectively allow only some domains. They way you can probably still prevent framing in third-party sites without breaking the frame on bugs.kde.org itself.
Comment 3 FreeLibre 2023-10-05 09:17:48 UTC 
This is not fixed and can still be reproduced here:
https://bugs.kde.org/attachment.cgi?id=161716&action=edit
Comment 4 Ben Cooksley 2023-10-05 14:56:46 UTC 
Regressed due to browser behaviour changes. Has now been fixed again.