diff options
| author | Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de> | 2018-11-23 09:33:13 +0100 |
|---|---|---|
| committer | Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de> | 2018-11-23 16:33:55 +0100 |
| commit | 296aba1beae64a65e4e86631a9c1458073ec8c2e (patch) | |
| tree | 1316a4d055a112b4c9f198b2480ef9d7534879c7 /loolwsd.xml.in | |
| parent | Fix scrolling when moving the cell cursor outside view in a spreadsheet (diff) | |
| download | online-296aba1beae64a65e4e86631a9c1458073ec8c2e.tar.gz online-296aba1beae64a65e4e86631a9c1458073ec8c2e.zip | |
Improve allowed frame-ancestors
Beforehand, any host could embed the iframe as the Referer was always allowed.
Now, only the loolwsd and the WOPI host are allowed to do that.
Additionally, a config option has been added to add more allowed hosts.
X-Frame-Options supports has been removed as it supports only one host
and CSP is meanwhile supported in ~all major browsers.
Change-Id: I222720e1220116102708c50edaf08e2a4a0aebda
Reviewed-on: https://gerrit.libreoffice.org/63864
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>
Tested-by: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>
Diffstat (limited to 'loolwsd.xml.in')
| -rw-r--r-- | loolwsd.xml.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/loolwsd.xml.in b/loolwsd.xml.in index 6842a782cc..48c053adb1 100644 --- a/loolwsd.xml.in +++ b/loolwsd.xml.in @@ -79,6 +79,7 @@ <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host> <host desc="The IPv6 loopback (localhost) address.">::1</host> </post_allow> + <frame_ancestors desc="Specify who is allowed to embed the LO Online iframe (loolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors> </net> <ssl desc="SSL settings"> |