DescriptionAvoid clickjacking.
Update the builtin and legacy servers to send
the proper X-Frame-Options header so that
iframing is denied from extraneous origins.
The legacy server has been update to ensure
clickjacking is not possible on jujucharms.com.
Tests: `make unittest`.
QA:
- juju bootstrap an environment;
- run `make deploy`;
- wait for the GUI to be ready/started;
- open the GUI with the browser and log in;
- prepare an HTML page like the following, replacing
<GUI UNIT HOSTNAME> with the address of the GUI in
your environment:
<!DOCTYPE html>
<html>
<head>
<title>test clickjacking</title>
</head>
<body>
<iframe src="https://<GUI UNIT HOSTNAME>"
height="800" width="1000"></iframe>
</body>
</html>
- open the test page above with the browser,
the iframe should be empty;
- switch to the legacy server:
`juju set juju-gui builtin-server=false`;
- wait a minute for the config-changed hook
to complete;
- open the test page above with the browser,
the iframe should be empty;
- destroy the environment.
https://code.launchpad.net/~frankban/charms/precise/juju-gui/clickjacking/+merge/216280
(do not edit description out of merge proposal)
Patch Set 1 #Patch Set 2 : Avoid clickjacking. #
MessagesTotal messages: 4
|