search

mariano-f-r / chatter

A small Rust websocket chat
MIT License
4 stars 4 forks source link

Prevent Site Botting Through iframes #28

Closed Glacier150 closed 9 months ago

Glacier150 commented 9 months ago

A user has recently proven that, through repeating iframes in a coding playground, they can bot the site and overflows the site. This also allows for DDoS attacks.

Glacier150 commented 9 months ago

It looks like we can use the HTTP Content-Security-Policy (CSP) frame-ancestors and set this to none. We should use this over XFO to prevent iframes on Edge. This is also better than a JS alternative which can be disabled.

Content-Security-Policy: frame-ancestors 'none';

mariano-f-r commented 9 months ago

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none';"> seems like it would work.

If you wouldn't mind quickly implementing it, that'd be much appreciated.

mariano-f-r commented 9 months ago

This is not completed, that was a misclick.