Issue 88090048: Avoid clickjacking.

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Issue 88090048: Avoid clickjacking.

Can't Edit
Can't Publish+Mail
Start Review

Created:
10 years ago by frankban

Modified:
10 years ago

Reviewers:
jeff.pihach, mp+216280

Visibility:
Public.

Description

Avoid clickjacking. Update the builtin and legacy servers to send the proper X-Frame-Options header so that iframing is denied from extraneous origins. The legacy server has been update to ensure clickjacking is not possible on jujucharms.com. Tests: `make unittest`. QA: - juju bootstrap an environment; - run `make deploy`; - wait for the GUI to be ready/started; - open the GUI with the browser and log in; - prepare an HTML page like the following, replacing <GUI UNIT HOSTNAME> with the address of the GUI in your environment: <!DOCTYPE html> <html> <head> <title>test clickjacking</title> </head> <body> <iframe src="https://<GUI UNIT HOSTNAME>" height="800" width="1000"></iframe> </body> </html> - open the test page above with the browser, the iframe should be empty; - switch to the legacy server: `juju set juju-gui builtin-server=false`; - wait a minute for the config-changed hook to complete; - open the test page above with the browser, the iframe should be empty; - destroy the environment. https://code.launchpad.net/~frankban/charms/precise/juju-gui/clickjacking/+merge/216280 (do not edit description out of merge proposal)

Patch Set 1 #

Patch Set 2 : Avoid clickjacking. #

Created: 10 years ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+25 lines, -1 line)			Patch
A	[revision details]	View	1 chunk	+2 lines, -0 lines	0 comments	Download
M	config/apache-site.template	View	1 chunk	+2 lines, -0 lines	0 comments	Download
M	revision	View	1 chunk	+1 line, -1 line	0 comments	Download
M	server/guiserver/handlers.py	View	1 chunk	+5 lines, -0 lines	0 comments	Download
M	server/guiserver/tests/test_handlers.py	View	1 chunk	+15 lines, -0 lines	0 comments	Download

Messages

Total messages: 4

Expand All Messages | Collapse All Messages

frankban

*** Submitted: Avoid clickjacking. Update the builtin and legacy servers to send the proper X-Frame-Options ...

10 years ago (2014-04-18 10:51:42 UTC) #3

Hi Jeff,

thanks for the review!

Expand All Messages | Collapse All Messages