Bug 455502 - Disallowed frame when viewing/editing attachments
Summary: Disallowed frame when viewing/editing attachments
Status: RESOLVED FIXED
Alias: None
Product: bugs.kde.org
Classification: Websites
Component: general (show other bugs)
Version: unspecified
Platform: Other Other
: NOR normal
Target Milestone: ---
Assignee: KDE sysadmins
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-17 17:46 UTC by Alex
Modified: 2023-10-05 14:56 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Alex 2022-06-17 17:46:41 UTC 
SUMMARY

When following an attachment link https://bugs.kde.org/attachment.cgi?id=XXXXXX&action=edit there is a frame, which tries to load data from a different subdomain, what seems to be forbidden by frameoptions and results in the error message:

Firefox Can’t Open This Page

To protect your security, bugsfiles.kde.org will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.
Comment 1 Ben Cooksley 2022-06-18 09:42:01 UTC 
Not ideal that Bugzilla has this functionality, as it means we have to remove that header from bugs.kde.org (and bugsfiles.kde.org in turn).

I've now made that change.
Comment 2 Alex 2022-06-18 10:01:52 UTC 
I am not sure what headers you had set, but I think the X-Frame-Options (or similar) is quite strict, but you can use CSP with frame-src to selectively allow only some domains. They way you can probably still prevent framing in third-party sites without breaking the frame on bugs.kde.org itself.
Comment 3 FreeLibre 2023-10-05 09:17:48 UTC 
This is not fixed and can still be reproduced here:
https://bugs.kde.org/attachment.cgi?id=161716&action=edit
Comment 4 Ben Cooksley 2023-10-05 14:56:46 UTC 
Regressed due to browser behaviour changes. Has now been fixed again.