Bug 728892: The attachment "Details" page is still vulnerable to Clickjacking with...

r/a=justdave

diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index dbcef2a71955fc4f9ac196d3e14fe58ca218dafd..1ab30853cdd3f7036455a6a4a08a9e178238ff7a 100644 (file)
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -197,7 +197,7 @@
                  readonly = 'readonly'
               %]
             [% ELSE %]
-              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
+              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" sandbox>
                 <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
                 <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
               </iframe>

diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index a7c266b3c94a76044d25d912d4f0b3c3bb79969b..e2c95cb80e73537c2c451a3703f74d71bf0e00f2 100644 (file)
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -78,7 +78,7 @@
          classes = 'viewall_frame'
       %]
     [% ELSE %]
-      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
         <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
         <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
       </iframe>