IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

Limited the added headers to only non-api calls

Browse Source
This commit is contained in:
nickago
2015-07-27 11:59:14 -07:00
parent 18d160bec5
commit ce2cf5b4e8
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
api/context.go
View File

@@ -100,8 +100,12 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId)
w.Header().Set(model.HEADER_VERSION_ID, utils.Cfg.ServiceSettings.Version)
w.Header().Set("X-FRAME-OPTIONS", "DENY")
w.Header().Set("Content-Security-Policy", "frame-ancestors none")
// Instruct the browser not to display us in an iframe for anti-clickjacking
if !h.isApi {
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("Content-Security-Policy", "frame-ancestors none")
}
sessionId := ""