From ca7b39aa66be9b4deea1ead8e6a788025759b80d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= <LpSolit@gmail.com>
Date: Wed, 12 Mar 2014 19:25:25 +0100
Subject: Bug 728892: The attachment "Details" page is still vulnerable to
 Clickjacking with SVG or XHTML attachments r/a=justdave

---
 template/en/default/attachment/show-multiple.html.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'template/en/default/attachment/show-multiple.html.tmpl')

diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index a7c266b3c..e2c95cb80 100644
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -78,7 +78,7 @@
          classes = 'viewall_frame'
       %]
     [% ELSE %]
-      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame" sandbox>
         <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
         <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
       </iframe>
-- 
cgit v1.2.1