From cc02a828a03aecd99780bd84a6cec3d375d3b279 Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Tue, 5 Jan 2016 09:09:11 -0800
Subject: [PATCH] clickjacking protection: set X-Frame-Options SAMEORIGIN,
 RT#39607

---
 FS/FS/Mason/Request.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm
index 022ff8e8a..537ba2d78 100644
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -65,6 +65,10 @@ sub freeside_setup {
             if fileno(STDOUT) != 1;
     }
 
+    FS::Trace->log('    adding headers');
+    #frame-ancestors not supported by all the major browsers yet
+    $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+
     if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
 
       FS::Trace->log('    handling RT REST/NoAuth file');
-- 
2.11.0