perhaps we should but being able to frame pages is something that people always want as a feature.
On Saturday, 28 March 2015 09:52:58 UTC-5, Anthony wrote: > > On Friday, March 27, 2015 at 7:12:02 PM UTC-4, Scott Hunter wrote: >> >> 1. Does web2py employ, allow or support any anti-framing measures, to >> prevent "an attack that can trick the user into clicking on the link by >> framing the original page and showing a layer on top of it with dummy >> buttons". If so, any pointers to either documentation describing how these >> are present, or how one would enable them, would be appreciated. >> Supposedly not employing such measures can allow clickjacking and/or CSRF. >> > > I don't think web2py does anything by default, but you can add protection > yourself by setting the X-Frame-Options and/or Content-Security-Policy > headers in a model file: > > response.headers['X-Frame-Options'] = "SAMEORIGIN" > response.headers['Content-Security-Policy'] = "frame-ancestors 'self'" > > Perhaps web2py should set the Content-Security-Policy header by default, > maybe with an optional configurable whitelist of allowed ancestors. > > Note, you can also configure your server (e.g., nginx, Apache) to > automatically set the above headers. > > You can also implement a Javascript defense, such as this one > <https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script> > . > > >> >> 2. Does, or can, web2py "prevent the browser from prompting the user to >> save populated values for later reuse"? >> > > It doesn't by default (as that is a user preference configurable in the > browser), but nothing stops you from using the various available solutions, > such as setting the "autocomplete" attribute of form and input elements to > "off" (which can be done on the server or via Javascript) or using > Javascript to reset the form after rendering. > > Anthony > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
