projects / freeside.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
clickjacking protection: set X-Frame-Options SAMEORIGIN, RT#39607
[freeside.git] / FS / FS / Mason / Request.pm
diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm
index 66c69f6..537ba2d 100644 (file)
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -65,6 +65,10 @@ sub freeside_setup {
             if fileno(STDOUT) != 1;
     }
 
+    FS::Trace->log('    adding headers');
+    #frame-ancestors not supported by all the major browsers yet
+    $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+
     if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
 
       FS::Trace->log('    handling RT REST/NoAuth file');
@@ -110,6 +114,10 @@ sub freeside_setup {
     FS::Trace->log('    UTF-8-decoding form data');
     #
     foreach my $param ( $cgi->param ) {
+        
+      #we can't switch to multi_param until we're done supporting deb 7
+      local($CGI::LIST_CONTEXT_WARN) = 0;
+
       my @values = $cgi->param($param);
       next if $cgi->uploadInfo($values[0]);
       #warn $param;
Freeside billing, trouble ticketing, network monitoring and provisioning