From: Ivan Kohler <ivan@freeside.biz>
Date: Tue, 5 Jan 2016 17:09:08 +0000 (-0800)
Subject: clickjacking protection: set X-Frame-Options SAMEORIGIN, RT#39607
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=b36fd164c990208bb1c37f40ee1887996442f94e

clickjacking protection: set X-Frame-Options SAMEORIGIN, RT#39607
---

diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm
index 2cf1ed9e0..b33efcc17 100644
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -65,6 +65,10 @@ sub freeside_setup {
             if fileno(STDOUT) != 1;
     }
 
+    FS::Trace->log('    adding headers');
+    #frame-ancestors not supported by all the major browsers yet
+    $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+
     if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
 
       FS::Trace->log('    handling RT REST/NoAuth file');