I'm setting x-frame-options on the pages of my website but due to some nested logic, on some pages I see duplicate values like:
X-FRAME-OPTIONS:SAMEORIGIN,SAMEORIGIN
instead of:
X-FRAME-OPTIONS:SAMEORIGIN
Is it okay to have duplicate values assigned to X-FRAME-OPTIONS and will it pick the first value that is assigned and ignore the rest?
Thank you.
This should be fine on most modern browsers. Apparently, there was an issue where a duplicated value in the X-FRAME-OPTIONS header would cause the header to be ignored entirely, but this has been fixed in Firefox > 14. I imagine that this issue, if it ever existed in the first place, has been similarly fixed in Chrome and Edge as well.
I am researching the same thing, as we have added X-FRAME-OPTIONS but it is ALSO added by Html.AntiForgeryToken().
I have not found a conclusive answer to the duplicates, though it does seem that if they ARE the same it is not a problem. The issue does remain, however, if there are conflicting multiple entries since they can be mutually exclusive. I did find a solution that worked for me, specifically the SuppressXFrameOptionsHeadersAttribute.
Related
For some reason the latest Express.JS versions are forcing a default, restrictive CSP (Content-Security-Policy) header value.
I'm trying to instantiate a middleware in order to change CSP to a more permissive one (that's currently on my needs for the project) but Express.JS seems to ignore every value for the Content-Security-Policy header. Calling res.setHeader("...", "some value") does work on that middleware when I change the key name to everything but "Content-Security-Policy". I'm not defining this header anywhere else, so it seems to come from Express.JS itself. What's exactly going on, how to correctly make Express.JS to recognize it?
Example: requesting the main page shows the default restrictive header for CSP, ignoring the value I set on line 29
Another example: changing the header to another name that's not CSP correctly enlists it to the headers
I notice on UFlex that when you compile, you lose all the header version information stuff.
This was always an issue on the 93K and was looking forward to getting is back on Teradyne - but it seems to remove all comments before the pins statement. Any work-around? Option to put it after the header or something?
I think I need to use the "isOverflown" ( probably set as "true" ) and "overflownDIV" ( probably set to some DIV selector ). These options are specified on this blog post. Has anyone used these options? I can see it in the source code, but I cannot get it to work. I think I am setting "overflownDIV" to the wrong value. Any examples would be much appreciated.
As per another post, I am trying to get the scrolling to work correctly and I believe these two options are meant to help with that.
EDIT:
I believe, based on the reference to isOverflown being deprecated, that overflownDIV is also deprecated.
Underneath the "demos" directory, there are a bunch of helpful examples.
One such example is for the "overflownDIV" situation ( demoOverflown.html ). But I actually don't think it does anything. I don't think it does anything because, in the code for the engine itself ( jquery.validationEngine.js ), and the debugger, it won't get to that part of the code unless "isOverflown" is true, and since isOverflown is false, we never get into that part of the code for the demo. There is no reference to "isOverflown" at all under "demos". In fact, the only reference is in jquery.validationEngine.js. As such, it seems that that feature has been deprecated. If anyone disagrees, please tell me.
Thanks.
A better way to solve this type of issue can be seen here, especially since isOverflown seems to have been deprecated.
I'm in the process of updating a client's site to the latest version of EE, and while the update went pretty smoothly, {exp:channel:entries} tags no longer render anything inside of them, yet I see that the date on the entry is current or a previous date, the status is set to open, and yes, dynamic="no" was already set. I can't imagine what would cause this, and a database export reveals that all the channel entries are there. The pages aren't completely blank; the templates themselves render without a problem, it's just the {exp:channel:entries} tags so far.
Is there anything I can do to test against this? Running the query module with:
{exp:query sql="SELECT * FROM exp_channel_data "}
{title}
{/exp:query}
returns with a hashed value of M00o93H7pQ09L8X1t49cHY01Z5j4TT91fGfr.
I've only ever seen that error when Structure was involved.
after doing some digging, it turned out that when I turned off my extensions, the content showed up. As a result, I tried disabling extensions, one by one until the culprit revealed itself to be Solspace's Supersearch. It was a previous version of the addon, and updating it to the most current version brought everything back!
I'm trying to get rid of the error pop-up window that appears in IE saying "page contains both secure and non-secure items". I have made sure all the links are pointing to https:// rather than http://. I have also looked at the fiddler and firebug logs to see that all the requests are being made to https:// links only.
Here's a similar question asked on SO : IE - "This page contains both secure and non-secure items"
The guy whose answer was accepted hit right on target. I wish I knew how he debugged to narrow down to that solution.
Any help is appreciated.
Thanks
You don't need to actually load a resource in order to trigger the warning, a reference is all it takes. The <object> used to load a Flash applet is enough (if you reference the HTTP URI for the Flash Plugin).
The easiest thing to do is to open up the source and search for 'http:' with your editor. If that doesn't turn up anything, do the same with the output of document.getElementsByTagName('html')[[0].innerHTML.
You could either do a top-down or bottom-up approach to try to track down the issue. Top-down is where you'd start commenting out stuff until it goes away while in the bottom-up case you strip out everything and then slowly start adding back in things like Flash, Javascript, and CSS as it may be some include or function that is the culprit.