[WebUI] Avoid clickjacking attacks

8 years ago · f5ad04766f
2 changed files with 6 additions and 1 deletions
--- a/src/base/http/types.h
+++ b/src/base/http/types.h
@ -43,6 +43,7 @@ namespace Http
				@@ -43,6 +43,7 @@ namespace Http
    const QString HEADER_CONTENT_ENCODING = "Content-Encoding";
    const QString HEADER_CONTENT_LENGTH = "Content-Length";
    const QString HEADER_CACHE_CONTROL = "Cache-Control";
+    const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options";

    const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8";
    const QString CONTENT_TYPE_GIF = "image/gif";
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@ -103,7 +103,11 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
				@@ -103,7 +103,11 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
    request_ = request;
    env_ = env;

-    clear(); // clear response
+    // clear response
+    clear();
+
+    // avoid clickjacking attacks
+    header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");

    sessionInitialize();
    if (!sessionActive() && !isAuthNeeded())