[Building Sakai] Web Content and X-Frame-Options
Noah Botimer
botimer at umich.edu
Thu Dec 29 12:49:38 PST 2011
I don't think being a proxy is a good strategy -- too much weirdness. I do think browsers will eventually put up a decent message, but that sure isn't the common case now. So, I would say that our best mitigation is a combination of 2 and 3.
The thing I see needing to be worked through is the balance between the setup UI, which launches from the tool page (and not Site Info), and the usage UI, which shouldn't require an extra click for every user. One of these will have to give.
A few strategies probably apply within this framework -- no detection, detect at setup, or detect on click. Off the cuff, I would probably lean toward detecting at setup to give site owners a diagnostic message when changing settings. If a site decides to later add the header, site owners will probably notice or be notified by site users.
Thanks,
-Noah
On Dec 29, 2011, at 2:37 PM, Sam Ottenhoff wrote:
> It looks like more and more top sites are starting to use the HTTP header X-Frame-Options set to SAMEORIGIN.
>
> The effect on Sakai is that our Web Content tool iframes external content and this header will prevent the content from loading. Try adding a Web Content tool from www.google.com, www.youtube.com, or twitter.com. In a recent browser like Firefox 8, the iframe will not render.
>
> What are the preferred solutions?
>
> 1) Change Web Content into a proxy instead of a pure iframe?
>
> 2) Detect this header and tell the user it's impossible?
>
> 3) New option in Web Content to grant a full window to a Web Content tool instead of an iframe?
>
> --Sam
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20111229/786da501/attachment.html
More information about the sakai-dev
mailing list