clickjacking protection: set X-Frame-Options SAMEORIGIN, RT#39607

author Ivan Kohler <ivan@freeside.biz>

Tue, 5 Jan 2016 17:09:10 +0000 (09:09 -0800)

committer Ivan Kohler <ivan@freeside.biz>

Tue, 5 Jan 2016 17:09:10 +0000 (09:09 -0800)
author Ivan Kohler <ivan@freeside.biz>
Tue, 5 Jan 2016 17:09:10 +0000 (09:09 -0800)
committer Ivan Kohler <ivan@freeside.biz>
Tue, 5 Jan 2016 17:09:10 +0000 (09:09 -0800)
diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm

index 2cf1ed9..b33efcc 100644 (file)
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -65,6 +65,10 @@ sub freeside_setup {
              if fileno(STDOUT) != 1;
      }
  
+    FS::Trace->log('    adding headers');
+    #frame-ancestors not supported by all the major browsers yet
+    $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+
      if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
  
        FS::Trace->log('    handling RT REST/NoAuth file');
author	Ivan Kohler <ivan@freeside.biz>
	Tue, 5 Jan 2016 17:09:10 +0000 (09:09 -0800)
committer	Ivan Kohler <ivan@freeside.biz>
	Tue, 5 Jan 2016 17:09:10 +0000 (09:09 -0800)