diff options
author | David Lawrence <dkl@mozilla.com> | 2016-04-22 00:21:38 +0200 |
---|---|---|
committer | David Lawrence <dkl@mozilla.com> | 2016-04-22 00:21:38 +0200 |
commit | dab15f57403d7499c958a20e0c96ebf3083a6745 (patch) | |
tree | d41a267263f78308ddac9ec652880a6373b90b48 /template/en/default/attachment/show-multiple.html.tmpl | |
parent | d447aed0cb1672f6c7e99bf98199278dea23702f (diff) | |
download | bugzilla-dab15f57403d7499c958a20e0c96ebf3083a6745.tar.gz bugzilla-dab15f57403d7499c958a20e0c96ebf3083a6745.tar.xz |
Bug 1266167 - clickjacking is possible on "view all" and "details" attachment pages
Diffstat (limited to 'template/en/default/attachment/show-multiple.html.tmpl')
-rw-r--r-- | template/en/default/attachment/show-multiple.html.tmpl | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index 91768c0d3..c28d5dfd6 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -99,7 +99,7 @@ classes = 'viewall_frame' %] [% ELSE %] - <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame"> + <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox> <b>You cannot view the attachment on this page because your browser does not support IFRAMEs. <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b> </iframe> |