Merge pull request #487 from tahoe-lafs/1455.x-frame-options.2

Set `X-Frame-Options: DENY` for all web status pages. This prevents attackers from loading web status pages in a frame as a way to trick users into interactions which attackers are restricted from performing unaided.
2024-12-20 05:28:04 +00:00 · 2018-05-28 08:12:35 -04:00 · 2018-05-28 08:12:35 -04:00 · bfedd79633
commit bfedd79633
parent 91c655298a e0c73e0ea1
2 changed files with 20 additions and 1 deletions
--- a/src/allmydata/test/web/test_web.py
+++ b/src/allmydata/test/web/test_web.py
@ -782,10 +782,25 @@ class MultiFormatPageTests(unittest.TestCase):


 class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixin, unittest.TestCase):
+    maxDiff = None
+
    def test_create(self):
        pass

-    maxDiff = None
+    def test_frame_options(self):
+        """
+        All pages deny the ability to be loaded in frames.
+        """
+        d = self.GET("/", return_response=True)
+        def responded(result):
+            _, _, headers = result
+            self.assertEqual(
+                [b"DENY"],
+                headers.getRawHeaders(b"X-Frame-Options"),
+            )
+        d.addCallback(responded)
+        return d
+
    def test_welcome_json(self):
        """
        There is a JSON version of the welcome page which can be selected with the
--- a/src/allmydata/webish.py
+++ b/src/allmydata/webish.py
@ -49,6 +49,10 @@ class MyRequest(appserver.NevowRequest):
        self.client = self.channel.transport.getPeer()
        self.host = self.channel.transport.getHost()

+        # Adding security headers. These will be sent for *all* HTTP requests.
+        # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+        self.responseHeaders.setRawHeaders("X-Frame-Options", ["DENY"])
+
        # Argument processing.

 ##      The original twisted.web.http.Request.requestReceived code parsed the