clickjacking protection: set X-Frame-Options SAMEORIGIN, RT#39607

[freeside.git] / FS / FS / Mason / Request.pm

diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm
index 36c46dc..537ba2d 100644 (file)
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -5,6 +5,7 @@ use warnings;
 use vars qw( $FSURL $QUERY_STRING );
 use base 'HTML::Mason::Request';
 use FS::Trace;
+use FS::access_user_log;
 
 $FSURL = 'http://Set/FS_Mason_Request_FSURL/in_standalone_mode/';
 $QUERY_STRING = '';
@@ -64,6 +65,10 @@ sub freeside_setup {
             if fileno(STDOUT) != 1;
     }
 
+    FS::Trace->log('    adding headers');
+    #frame-ancestors not supported by all the major browsers yet
+    $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+
     if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
 
       FS::Trace->log('    handling RT REST/NoAuth file');
@@ -109,6 +114,10 @@ sub freeside_setup {
     FS::Trace->log('    UTF-8-decoding form data');
     #
     foreach my $param ( $cgi->param ) {
+        
+      #we can't switch to multi_param until we're done supporting deb 7
+      local($CGI::LIST_CONTEXT_WARN) = 0;
+
       my @values = $cgi->param($param);
       next if $cgi->uploadInfo($values[0]);
       #warn $param;
@@ -118,6 +127,8 @@ sub freeside_setup {
     
   }
 
+  FS::access_user_log->insert_new_path( $filename );
+
   FS::Trace->log('    done');
 
 }