I suggest you ...

Allow mattermost inside an iframe, in a controlled way

This pull request introduced a security measure to protect against clicjacking attacks: https://github.com/mattermost/platform/pull/253

But it also prevents some legitimate uses of iframes. For example, Nextcloud has a "external sites" function to run any app as if it was a Nextcloud app, by putting it in an iframe inside Nextcloud (https://docs.nextcloud.com/server/9/admin_manual/configuration_server/external_sites.html).

My proposal is to add some settings to allow an authorized domain, and then change X-Frame-Options, instead of DENY put ALLOW-FROM this domain. And to check the domain also in the javascript check in head.html.

This way it would allow legitimate uses, while still protecting against clickjacking attacks.

36 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Andrés Moya shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base