Merge pull request #487 from tahoe-lafs/1455.x-frame-options.2

Set `X-Frame-Options: DENY` for all web status pages.

This prevents attackers from loading web status pages in a frame as a way to trick users into interactions which attackers are restricted from performing unaided.

src/allmydata/test/web/test_web.py

@@ -782,10 +782,25 @@ class MultiFormatPageTests(unittest.TestCase):
 
 
 class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixin, unittest.TestCase):
+    maxDiff = None
+
     def test_create(self):
         pass
 
-    maxDiff = None
+    def test_frame_options(self):
+        """
+        All pages deny the ability to be loaded in frames.
+        """
+        d = self.GET("/", return_response=True)
+        def responded(result):
+            _, _, headers = result
+            self.assertEqual(
+                [b"DENY"],
+                headers.getRawHeaders(b"X-Frame-Options"),
+            )
+        d.addCallback(responded)
+        return d
+
     def test_welcome_json(self):
         """
         There is a JSON version of the welcome page which can be selected with the

src/allmydata/webish.py

@@ -49,6 +49,10 @@ class MyRequest(appserver.NevowRequest):
         self.client = self.channel.transport.getPeer()
         self.host = self.channel.transport.getHost()
 
+        # Adding security headers. These will be sent for *all* HTTP requests.
+        # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+        self.responseHeaders.setRawHeaders("X-Frame-Options", ["DENY"])
+
         # Argument processing.
 
 ##      The original twisted.web.http.Request.requestReceived code parsed the