Merge pull request #253 from nickago/MM-1654

MM-1654 Anti-clickjacking measures
2025-02-25 18:55:24 -06:00 · 2015-07-28 10:03:10 -04:00
parent 94b905aff5 ce2cf5b4e8
commit ec2e61bc55
2 changed files with 13 additions and 0 deletions
--- a/api/context.go
+++ b/api/context.go
@@ -101,6 +101,12 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId)
 	w.Header().Set(model.HEADER_VERSION_ID, utils.Cfg.ServiceSettings.Version)

+	// Instruct the browser not to display us in an iframe for anti-clickjacking
+	if !h.isApi {
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("Content-Security-Policy", "frame-ancestors none")
+	}
+
 	sessionId := ""

 	// attempt to parse the session token from the header
--- a/web/templates/head.html
+++ b/web/templates/head.html
@@ -36,6 +36,13 @@

    <script type="text/javascript" src="https://cloudfront.loggly.com/js/loggly.tracker.js" async></script>
    <script id="config" type="text/javascript" src="/static/config/config.js"></script>
+    <style id="antiClickjack">body{display:none !important;}</style>
+    <script type="text/javascript">
+        if (self === top) {
+            var blocker = document.getElementById("antiClickjack");
+            blocker.parentNode.removeChild(blocker);
+        }
+    </script>
    <script>
        if (config == null) {
            config = {};