Adobe Connect Addresses clickjacking Concerns

Solution :

• There will be two related, but different system-wide parameters: ENABLE_X_FRAME_OPTIONS to allow this, and FORCE_X_FRAME_OPTIONS to force it for everyone.
  • The default value for the (currently existing) parameter ENABLE_X_FRAME_OPTIONS, will be changed from false to true. Changing this to false will disable X-Frame options system-wide, overriding any account-specific setting.
  • The default value for the new parameter, FORCE_X_FRAME_OPTIONS, will be false. This exists so that we can force X-Frames options for all accounts. But given that there are accounts which seem to require the X-Frame options to be disabled, this might remain an optional parameter for some accounts.
• A new feature (ID=177, FEATURE_X_FRAME_OPTIONS_FOR_ACCOUNT) will be added to track this option on a per-account basis.
  • This feature will be exposed in the Administration screen, under “More Settings” as the option “Configure X-Frame Options,” and will be unchecked/disabled by default. In other words, the per-account default will match what was previously the system-wide default. This will need to be enabled on an account-by-account basis. See Figure 1 below.
  • Obviously, this will only be editable if FORCE_X_FRAME_OPTIONS is false
  • If this option is checked, if X-Frames options are enabled, then the Allow From drop-down box will be enabled. It offers two options: SAMEORIGIN (default), or ALLOW-FROM (Figure 2 below)
  • If ALLOW-FROM is selected, then the Allow From URI input box is enabled for editing (Figure 3 below). It will be required if enabled, and there will be validation of this text.

Figure 1

 

Figure 2

Figure 3