Merge pull request #487 from tahoe-lafs/1455.x-frame-options.2
Set `X-Frame-Options: DENY` for all web status pages. This prevents attackers from loading web status pages in a frame as a way to trick users into interactions which attackers are restricted from performing unaided.
This commit is contained in:
commit
bfedd79633
|
@ -782,10 +782,25 @@ class MultiFormatPageTests(unittest.TestCase):
|
||||||
|
|
||||||
|
|
||||||
class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixin, unittest.TestCase):
|
class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixin, unittest.TestCase):
|
||||||
|
maxDiff = None
|
||||||
|
|
||||||
def test_create(self):
|
def test_create(self):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
maxDiff = None
|
def test_frame_options(self):
|
||||||
|
"""
|
||||||
|
All pages deny the ability to be loaded in frames.
|
||||||
|
"""
|
||||||
|
d = self.GET("/", return_response=True)
|
||||||
|
def responded(result):
|
||||||
|
_, _, headers = result
|
||||||
|
self.assertEqual(
|
||||||
|
[b"DENY"],
|
||||||
|
headers.getRawHeaders(b"X-Frame-Options"),
|
||||||
|
)
|
||||||
|
d.addCallback(responded)
|
||||||
|
return d
|
||||||
|
|
||||||
def test_welcome_json(self):
|
def test_welcome_json(self):
|
||||||
"""
|
"""
|
||||||
There is a JSON version of the welcome page which can be selected with the
|
There is a JSON version of the welcome page which can be selected with the
|
||||||
|
|
|
@ -49,6 +49,10 @@ class MyRequest(appserver.NevowRequest):
|
||||||
self.client = self.channel.transport.getPeer()
|
self.client = self.channel.transport.getPeer()
|
||||||
self.host = self.channel.transport.getHost()
|
self.host = self.channel.transport.getHost()
|
||||||
|
|
||||||
|
# Adding security headers. These will be sent for *all* HTTP requests.
|
||||||
|
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
|
self.responseHeaders.setRawHeaders("X-Frame-Options", ["DENY"])
|
||||||
|
|
||||||
# Argument processing.
|
# Argument processing.
|
||||||
|
|
||||||
## The original twisted.web.http.Request.requestReceived code parsed the
|
## The original twisted.web.http.Request.requestReceived code parsed the
|
||||||
|
|
Loading…
Reference in New Issue