Merge pull request #487 from tahoe-lafs/1455.x-frame-options.2
Set `X-Frame-Options: DENY` for all web status pages. This prevents attackers from loading web status pages in a frame as a way to trick users into interactions which attackers are restricted from performing unaided.
This commit is contained in:
commit
bfedd79633
|
@ -782,10 +782,25 @@ class MultiFormatPageTests(unittest.TestCase):
|
|||
|
||||
|
||||
class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixin, unittest.TestCase):
|
||||
maxDiff = None
|
||||
|
||||
def test_create(self):
|
||||
pass
|
||||
|
||||
maxDiff = None
|
||||
def test_frame_options(self):
|
||||
"""
|
||||
All pages deny the ability to be loaded in frames.
|
||||
"""
|
||||
d = self.GET("/", return_response=True)
|
||||
def responded(result):
|
||||
_, _, headers = result
|
||||
self.assertEqual(
|
||||
[b"DENY"],
|
||||
headers.getRawHeaders(b"X-Frame-Options"),
|
||||
)
|
||||
d.addCallback(responded)
|
||||
return d
|
||||
|
||||
def test_welcome_json(self):
|
||||
"""
|
||||
There is a JSON version of the welcome page which can be selected with the
|
||||
|
|
|
@ -49,6 +49,10 @@ class MyRequest(appserver.NevowRequest):
|
|||
self.client = self.channel.transport.getPeer()
|
||||
self.host = self.channel.transport.getHost()
|
||||
|
||||
# Adding security headers. These will be sent for *all* HTTP requests.
|
||||
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
self.responseHeaders.setRawHeaders("X-Frame-Options", ["DENY"])
|
||||
|
||||
# Argument processing.
|
||||
|
||||
## The original twisted.web.http.Request.requestReceived code parsed the
|
||||
|
|
Loading…
Reference in New Issue