From 718fa4493c4b6dd9d897160ded2ea4831c17d3bf Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 9 Feb 2015 02:27:32 +0000 Subject: [PATCH 1/4] Add "X-Frame-Options: DENY" header to all pages. refs #1455 Signed-off-by: Daira Hopwood --- src/allmydata/webish.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/allmydata/webish.py b/src/allmydata/webish.py index 416e34dfd..81d8672d2 100644 --- a/src/allmydata/webish.py +++ b/src/allmydata/webish.py @@ -45,6 +45,9 @@ class MyRequest(appserver.NevowRequest): self.client = self.channel.transport.getPeer() self.host = self.channel.transport.getHost() + # Adding security headers. These will be sent for *all* HTTP requests. + self.responseHeaders.setRawHeaders("X-Frame-Options", ["DENY"]) + # Argument processing. ## The original twisted.web.http.Request.requestReceived code parsed the From 36c77568907374834e11031053d8d46a6280e1a8 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 13 Apr 2018 12:48:03 -0400 Subject: [PATCH 2/4] Reference X-Frame-Options documentation --- src/allmydata/webish.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/allmydata/webish.py b/src/allmydata/webish.py index 81d8672d2..a07fbb4f2 100644 --- a/src/allmydata/webish.py +++ b/src/allmydata/webish.py @@ -46,6 +46,7 @@ class MyRequest(appserver.NevowRequest): self.host = self.channel.transport.getHost() # Adding security headers. These will be sent for *all* HTTP requests. + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options self.responseHeaders.setRawHeaders("X-Frame-Options", ["DENY"]) # Argument processing. @@ -221,4 +222,3 @@ class IntroducerWebishServer(WebishServer): service.MultiService.__init__(self) self.root = introweb.IntroducerRoot(introducer) self.buildServer(webport, nodeurl_path, staticdir) - From 7bc207cdcb2a1daf047dfbbffcc9f0bdb21b170f Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 13 Apr 2018 12:52:12 -0400 Subject: [PATCH 3/4] Shift this out of the way --- src/allmydata/test/web/test_web.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/allmydata/test/web/test_web.py b/src/allmydata/test/web/test_web.py index e7c309d99..29c152cc8 100644 --- a/src/allmydata/test/web/test_web.py +++ b/src/allmydata/test/web/test_web.py @@ -782,10 +782,11 @@ class MultiFormatPageTests(unittest.TestCase): class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixin, unittest.TestCase): + maxDiff = None + def test_create(self): pass - maxDiff = None def test_welcome_json(self): """ There is a JSON version of the welcome page which can be selected with the From 234db487cdf901245097be79483a7d72e4405eb1 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 13 Apr 2018 12:56:50 -0400 Subject: [PATCH 4/4] Add a unit test for X-Frame-Options being set --- src/allmydata/test/web/test_web.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/allmydata/test/web/test_web.py b/src/allmydata/test/web/test_web.py index 29c152cc8..b285cd01e 100644 --- a/src/allmydata/test/web/test_web.py +++ b/src/allmydata/test/web/test_web.py @@ -787,6 +787,20 @@ class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixi def test_create(self): pass + def test_frame_options(self): + """ + All pages deny the ability to be loaded in frames. + """ + d = self.GET("/", return_response=True) + def responded(result): + _, _, headers = result + self.assertEqual( + [b"DENY"], + headers.getRawHeaders(b"X-Frame-Options"), + ) + d.addCallback(responded) + return d + def test_welcome_json(self): """ There is a JSON version of the welcome page which can be selected with the