[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Christopher Brannon changed: What|Removed |Added Blocks||16179 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16179 [Bug 16179] Clicking Rate me button in OPAC without selecting rating produces error -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart changed: What|Removed |Added CC||jonathan.dru...@bugs.koha-c ||ommunity.org --- Comment #1 from Jonathan Druart --- I use NoScript and Iceweasel 38.2.1 and the OPAC displays correctly. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #2 from Owen Leonard --- I tested in Iceweasel by disabling JS via the the Web Developer Toolbar (http://chrispederick.com/work/web-developer/), but it also works to use about:config and set the javascript.enabled preference to "false." In Chromium I use an extension called "Quick Javascript Switcher." I can reproduce the problem in both. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart changed: What|Removed |Added Depends on||15111 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #3 from Jonathan Druart --- Same comment as bug 15111 comment 33: Well, we have a problem. After reading this https://www.owasp.org/images/0/0e/OWASP_AppSec_Research_2010_Busting_Frame_Busting_by_Rydstedt.pdf it seems that it is not possible not to be vulnerable to XFS and render something with JS disabled... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #4 from Jonathan Druart --- If I understand correctly, setting X-Frame-Options to SAMEORIGIN should be enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick could be removed if we decide not to support them anymore. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron changed: What|Removed |Added CC||ve...@veron.ch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Mirko Tietgen changed: What|Removed |Added CC||mi...@abunchofthings.net --- Comment #5 from Mirko Tietgen --- (In reply to Jonathan Druart from comment #4) > If I understand correctly, setting X-Frame-Options to SAMEORIGIN should be > enough for mordern browsers: > https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options > > The antiClickjack trick could be removed if we decide not to support them > anymore. Supported are Firefox 3.6.9 September 2010 IE 8March 2008 Opera 10.5 March 2010 Safari 4February 2009 Chrome 4.1.…somewhen 2010 If that fixes the problem in general I vote for using it. One thing that needs to be checked if it works with recent mobile browsers, the website does not really say that. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #6 from Jonathan Druart --- Created attachment 50051 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50051&action=edit Bug 16210: Revert OPAC changes from Bug 15111 This patch reverts the changes made at the OPAC from the following patches: Do not include the antiClickjack legacy browser trick for greybox" Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox" This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe. Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN" This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df. Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks" This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929. Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick should be removed at the OPAC as we want to keep the OPAC usable even if the user has disabled JS. That means the OPAC will be vulnerable to XFS if a user is navigating with a prehistoric browser: Firefox 3.6.9 September 2010 IE 8March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 Test plan: Confirm that there are no regression of bug 15111 with modern browsers -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart changed: What|Removed |Added Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #7 from Jonathan Druart --- Created attachment 50052 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50052&action=edit Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places The login page should not be displayed if the page is displayed in a frame. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Jonathan Druart changed: What|Removed |Added Assignee|oleon...@myacpl.org |jonathan.dru...@bugs.koha-c ||ommunity.org -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 David Cook changed: What|Removed |Added CC||dc...@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron changed: What|Removed |Added Attachment #50051|0 |1 is obsolete|| --- Comment #8 from Marc Véron --- Created attachment 50147 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50147&action=edit Bug 16210: Revert OPAC changes from Bug 15111 This patch reverts the changes made at the OPAC from the following patches: Do not include the antiClickjack legacy browser trick for greybox" Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox" This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe. Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN" This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df. Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks" This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929. Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick should be removed at the OPAC as we want to keep the OPAC usable even if the user has disabled JS. That means the OPAC will be vulnerable to XFS if a user is navigating with a prehistoric browser: Firefox 3.6.9 September 2010 IE 8March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 Test plan: Confirm that there are no regression of bug 15111 with modern browsers Signed-off-by: Marc Véron -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron changed: What|Removed |Added Attachment #50052|0 |1 is obsolete|| --- Comment #9 from Marc Véron --- Created attachment 50148 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50148&action=edit Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places The login page should not be displayed if the page is displayed in a frame. Signed-off-by: Marc Véron -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Marc Véron changed: What|Removed |Added Status|Needs Signoff |Signed Off Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #10 from Owen Leonard --- This works for me to enable use of the OPAC without JavaScript, which I think is an important goal. I think we can rationalize the vulnerability for older browsers by saying "If you're still using one of these browsers you are probably vulnerable to any number of other terrible security problems because of your old computer and/or browser and what's one more?" I will leave it to someone who knows better than I to test whether this solves the security problem it's meant to fix. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Chris Cormack changed: What|Removed |Added CC||ch...@bigballofwax.co.nz --- Comment #11 from Chris Cormack --- (In reply to Owen Leonard from comment #10) > This works for me to enable use of the OPAC without JavaScript, which I > think is an important goal. > > I think we can rationalize the vulnerability for older browsers by saying > "If you're still using one of these browsers you are probably vulnerable to > any number of other terrible security problems because of your old computer > and/or browser and what's one more?" > > I will leave it to someone who knows better than I to test whether this > solves the security problem it's meant to fix. Yeah, it does what it should, and yep if you are running a 6 year old browser, chances are someone already is doing all your internet banking for you. Having someone put a hold on a book you don't want, is the least of your worries at that point. I think it is better to allow those who run without JS turned on (often for very legitimate reasons) to be able to use the OPAC. Than to try to support browsers from last decade. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Katrin Fischer changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Katrin Fischer changed: What|Removed |Added Attachment #50147|0 |1 is obsolete|| Attachment #50148|0 |1 is obsolete|| --- Comment #12 from Katrin Fischer --- Created attachment 50220 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50220&action=edit [PASSED QA] Bug 16210: Revert OPAC changes from Bug 15111 This patch reverts the changes made at the OPAC from the following patches: Do not include the antiClickjack legacy browser trick for greybox" Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox" This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe. Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN" This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df. Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks" This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929. Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options The antiClickjack trick should be removed at the OPAC as we want to keep the OPAC usable even if the user has disabled JS. That means the OPAC will be vulnerable to XFS if a user is navigating with a prehistoric browser: Firefox 3.6.9 September 2010 IE 8March 2008 Opera 10.5 March 2010 Safari 4 February 2009 Chrome 4.1.… somewhen 2010 Test plan: Confirm that there are no regression of bug 15111 with modern browsers Signed-off-by: Marc Véron Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 --- Comment #13 from Katrin Fischer --- Created attachment 50221 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=50221&action=edit [PASSED QA] Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places The login page should not be displayed if the page is displayed in a frame. Signed-off-by: Marc Véron Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Brendan Gallagher changed: What|Removed |Added CC||bren...@bywatersolutions.co ||m Status|Passed QA |Pushed to Master --- Comment #14 from Brendan Gallagher --- Pushed to Master - Should be in the May 2016 release. Thanks! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Julian Maurice changed: What|Removed |Added CC||julian.maur...@biblibre.com Status|Pushed to Master|Pushed to Stable --- Comment #15 from Julian Maurice --- Patches pushed to 3.22.x, will be in 3.22.6 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Frédéric Demians changed: What|Removed |Added CC||frede...@tamil.fr --- Comment #16 from Frédéric Demians --- Pushed to 3.22.x, will be in 3.20.11. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 16210] Bug 15111 breaks the OPAC if JavaScript is disabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16210 Bug 16210 depends on bug 15111, which changed state. Bug 15111 Summary: Koha is vulnerable to Cross-Frame Scripting (XFS) attacks https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15111 What|Removed |Added Status|Pushed to Stable|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/