[p2pu-dev] X-Frame-Options: DENY

Dirk Uys dirk at p2pu.org
Mon Aug 13 08:53:16 UTC 2012


Hi Dan

It seems like this is header is added by the
commonware.middleware.FrameOptionsHeader' middleware to prevent
clickjacking. Removing this header may expose users to that attack
vector.

Maybe we can look at setting the header on a more granular level to
allow embedding where it makes sense?

How would you like to embed P2PU in another site, sound interesting!

Cheers
Dirk

On Fri, Aug 10, 2012 at 3:39 AM, Dan Diebolt <dandiebolt at gmail.com> wrote:
> Well it is not directly related to the API but the presence of the DENY
> header prevents p2pu.org from being placed in an iframe.
>
> HTTP/1.1 200 OK
> Date: Fri, 10 Aug 2012 01:34:54 GMT
> Server: Apache/2.2.12 (Ubuntu)
> Vary: Accept-Language,Cookie,Accept-Encoding
> X-Frame-Options: DENY
> Content-Language: en
> Content-Encoding: gzip
> Content-Length: 7154
> Keep-Alive: timeout=15, max=90
> Connection: Keep-Alive
> Content-Type: text/html; charset=utf-8
>
> There are some pretty clever ways to turn any p2pu.org page into an ad hoc
> API through scraping if you remove this unnecessary header.
>
>
> --
> You received this message because you are subscribed to the "P2PU Community"
> group. Please stick to the ground rules:
> http://groups.google.com/group/p2pu-community/web/ground-rules
>
> Specific topics such as research, web development and course design are
> discussed in separate working groups:
> http://wiki.p2pu.org/mailing-lists


More information about the p2pu-dev mailing list