Browse Source

[WebUI] Avoid clickjacking attacks

adaptive-webui-19844
ngosang 8 years ago committed by sledgehammer999
parent
commit
f5ad04766f
No known key found for this signature in database
GPG Key ID: 6E4A2D025B7CC9A2
  1. 1
      src/base/http/types.h
  2. 6
      src/webui/abstractwebapplication.cpp

1
src/base/http/types.h

@ -43,6 +43,7 @@ namespace Http @@ -43,6 +43,7 @@ namespace Http
const QString HEADER_CONTENT_ENCODING = "Content-Encoding";
const QString HEADER_CONTENT_LENGTH = "Content-Length";
const QString HEADER_CACHE_CONTROL = "Cache-Control";
const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options";
const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8";
const QString CONTENT_TYPE_GIF = "image/gif";

6
src/webui/abstractwebapplication.cpp

@ -103,7 +103,11 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque @@ -103,7 +103,11 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
request_ = request;
env_ = env;
clear(); // clear response
// clear response
clear();
// avoid clickjacking attacks
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
sessionInitialize();
if (!sessionActive() && !isAuthNeeded())

Loading…
Cancel
Save