Clickjacking vulnerability
Reported by harsh0707051mail@gmail.com, chaskar87@gmail.com and https://gitlab.zendesk.com/agent/#/tickets/209.
http://javascript.info/tutorial/clickjacking#x-frame-options
I suggest to solve this by moving the static hosting from S3 to a VPS running nginx.
/cc @marin @sytse @dzaporozhets
Activity
Sytse must buy SSL certificate for www.gitlab.com from https://www.sslcertificaten.nl/
Also see https://dev.gitlab.org/gitlab/gitlabhq/issues/732 for demo.gitlab.com issue.
Reported again by https://gitlab.zendesk.com/agent/#/tickets/209.
@sytses might it make sense to start with nginx serving plain HTTP from a DO box? That way we can already address the clickjacking. Adding SSL would be the next step.
https://gitlab.com/gitlab-com/www-gitlab-com/milestones/1
@sytses comment in #4 (closed) when you have activated the DO droplet.
@jacobvosmaer I'm going to add
add_header X-Frame-Options DENY;to the config of the Amazon server of https://gitlab.com@jacobvosmaer OK, I didn't realize that but I also think it also will not hurt.
@jacobvosmaer And it might help for static assets (uploads in public dir?).
@jacobvosmaer Makes sense. I could say I want to keep it congruent with our Chef cookbook settings https://gitlab.com/gitlab-org/cookbook-gitlab/merge_requests/8/diffs#71e2308b7d42561ae82d63945d32836620f15cb0_14_14 but that is not really true :-)
mentioned in commit 335707b1
mentioned in commit 6b4e802e
mentioned in issue #656
mentioned in issue #778 (closed)
mentioned in issue #781 (closed)
mentioned in issue marketing#441
Mentioned in issue #967 (closed)
mentioned in merge request !4124 (merged)
mentioned in issue #1336 (closed)
mentioned in issue #1469
mentioned in merge request !6439 (merged)
mentioned in merge request !6521 (closed)
mentioned in commit 4590471e
mentioned in commit af99cc20
