Summary:
we use to only add X-Frame-Options for AphrontWebpageResponse.
There some security concern about it. Example of a drag-drop attack:
http://sites.google.com/site/tentacoloviola/. The fix is to add it to
all AphrontResponse.
Test Plan:
View page which disalble this option still works (like the
xhpast tree page); verify that the AphrontAjaxResponse contains the
X-Frame-Options in the header.
Reviewers: epriestley, benmathews
Reviewed By: epriestley
CC: nh, aran, jungejason, epriestley
Differential Revision: 926
Summary:
Technically we didn't have it in the first place, but should. Also
add in X-Frame-Options for double-plus-good.
Test Plan:
Created a page with Phabricator in an <iframe />, got busted out
of it. Added in the X-Frame-Options, got an empty iframe.
Differential Revision: 38
Reviewed By: tomo
Reviewers: mroch, tomo
