Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(1273)

Issue 88090048: Avoid clickjacking.

Can't Edit
Can't Publish+Mail
Start Review
Created:
8 years, 1 month ago by frankban
Modified:
8 years, 1 month ago
Reviewers:
jeff.pihach, mp+216280
Visibility:
Public.

Description

Avoid clickjacking. Update the builtin and legacy servers to send the proper X-Frame-Options header so that iframing is denied from extraneous origins. The legacy server has been update to ensure clickjacking is not possible on jujucharms.com. Tests: `make unittest`. QA: - juju bootstrap an environment; - run `make deploy`; - wait for the GUI to be ready/started; - open the GUI with the browser and log in; - prepare an HTML page like the following, replacing <GUI UNIT HOSTNAME> with the address of the GUI in your environment: <!DOCTYPE html> <html> <head> <title>test clickjacking</title> </head> <body> <iframe src="https://<GUI UNIT HOSTNAME>" height="800" width="1000"></iframe> </body> </html> - open the test page above with the browser, the iframe should be empty; - switch to the legacy server: `juju set juju-gui builtin-server=false`; - wait a minute for the config-changed hook to complete; - open the test page above with the browser, the iframe should be empty; - destroy the environment. https://code.launchpad.net/~frankban/charms/precise/juju-gui/clickjacking/+merge/216280 (do not edit description out of merge proposal)

Patch Set 1 #

Patch Set 2 : Avoid clickjacking. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+25 lines, -1 line) Patch
A [revision details] View 1 chunk +2 lines, -0 lines 0 comments Download
M config/apache-site.template View 1 chunk +2 lines, -0 lines 0 comments Download
M revision View 1 chunk +1 line, -1 line 0 comments Download
M server/guiserver/handlers.py View 1 chunk +5 lines, -0 lines 0 comments Download
M server/guiserver/tests/test_handlers.py View 1 chunk +15 lines, -0 lines 0 comments Download

Messages

Total messages: 4
frankban
Please take a look.
8 years, 1 month ago (2014-04-17 09:38:25 UTC) #1
jeff.pihach
LGTM Looks good thanks for this!
8 years, 1 month ago (2014-04-17 19:12:02 UTC) #2
frankban
*** Submitted: Avoid clickjacking. Update the builtin and legacy servers to send the proper X-Frame-Options ...
8 years, 1 month ago (2014-04-18 10:51:42 UTC) #3
frankban
8 years, 1 month ago (2014-04-18 10:55:16 UTC) #4
Hi Jeff,

thanks for the review!
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b