Bug 1266167 - clickjacking is possible on "view all" and "details" attachment pages

diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index c7d85e270cd5bb4656860085cd8cfa024c74e812..cb0b1c71a752e78580547f81c82a3cfff602fd1e 100644 (file)
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -215,7 +215,7 @@
                 %]
               [% ELSE %]
                 <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]
-                  [%- "&amp;content_type=text/plain" IF attachment.contenttype.match('^text/x-') %]">
+                  [%- "&amp;content_type=text/plain" IF attachment.contenttype.match('^text/x-') %]" sandbox>
                   <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
                   <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
                 </iframe>

diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index 91768c0d30452649b061592a41cfd6ac1e225331..c28d5dfd6698768dcc2b2a3cadea4d751d202ef2 100644 (file)
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -99,7 +99,7 @@
          classes = 'viewall_frame'
       %]
     [% ELSE %]
-      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
         <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
         <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
       </iframe>