fix self-service fallout from clickjacking fix, RT#39881

[freeside.git] / FS / FS / Mason / Request.pm

diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm
index 2cf1ed9..0d9c6d4 100644 (file)
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -65,6 +65,12 @@ sub freeside_setup {
             if fileno(STDOUT) != 1;
     }
 
+    if ( $HTML::Mason::Commands::r ) {
+      FS::Trace->log('    adding headers');
+      #frame-ancestors not supported by all the major browsers yet
+      $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+    }
+
     if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
 
       FS::Trace->log('    handling RT REST/NoAuth file');