Code review comment for lp:~frankban/charms/precise/juju-gui/clickjacking
Revision history for this message
| Francesco Banconi (frankban) wrote | # |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Reviewers: mp+216280_
Message:
Please take a look.
Description:
Avoid clickjacking.
Update the builtin and legacy servers to send
the proper X-Frame-Options header so that
iframing is denied from extraneous origins.
The legacy server has been update to ensure
clickjacking is not possible on jujucharms.com.
Tests: `make unittest`.
QA:
- juju bootstrap an environment;
- run `make deploy`;
- wait for the GUI to be ready/started;
- open the GUI with the browser and log in;
- prepare an HTML page like the following, replacing
<GUI UNIT HOSTNAME> with the address of the GUI in
your environment:
<!DOCTYPE html>
<html>
<head>
<title>test clickjacking<
</head>
<body>
<iframe src="https://<GUI UNIT HOSTNAME>"
height="800" width="
</body>
</html>
- open the test page above with the browser,
the iframe should be empty;
- switch to the legacy server:
`juju set juju-gui builtin-
- wait a minute for the config-changed hook
to complete;
- open the test page above with the browser,
the iframe should be empty;
- destroy the environment.
https:/
(do not edit description out of merge proposal)
Please review this at https:/
Affected files (+25, -1 lines):
A [revision details]
M config/
M revision
M server/
M server/
Index: [revision details]
=== added file '[revision details]'
--- [revision details] 2012-01-01 00:00:00 +0000
+++ [revision details] 2012-01-01 00:00:00 +0000
@@ -0,0 +1,2 @@
+Old revision:
<email address hidden>
+New revision:
<email address hidden>
Index: revision
=== modified file 'revision'
--- revision 2014-04-14 17:00:09 +0000
+++ revision 2014-04-17 09:17:07 +0000
@@ -1,1 +1,1 @@
-111
+112
Index: config/
=== modified file 'config/
--- config/
+++ config/
@@ -31,5 +31,7 @@
Header unset Cache-Control
Header set Cache-Control "max-age=0, public, must-revalidate"
+ # Avoid user-interface redressing (e.g. clickjacking).
+ Header always append X-Frame-Options SAMEORIGIN
</VirtualHost>
Index: server/
=== modified file 'server/
--- server/
+++ server/
@@ -226,6 +226,11 @@
"""See tornado.
return os.path.join(root, 'index.html')
+ def set_default_
+ """Set custom HTTP headers at the beginning of the request."""
+ # Avoid user-interface redressing (e.g. clickjacking).
+ self.set_
+
class ProxyHandler(
"""An HTTP(S) proxy from the server to the given target URL."""
Index: server/
=== modified file 'server/
--- server/
+++ server/
@@ -501,6 +501,21 @@
# Requests including flags and queries are served by the index
file.
+ def test_headers(self):
+ # The expected Content-Type, ETag and clickjacking protection
headers
+ # are correctly sent by the server.
+ response = self.fetch('/')
+ headers = response.headers
+ # Check response content type.
+ self.assertIn(
+ self.assertEqua
+ # Check cache headers.
+ self.assertIn(
+ self.assertIn(
+ # Check X-Frame headers.
+ self.assertIn(
+ self.assertEqua
+
class TestProxyHandle