Reviewers: mp+216280_code.launchpad.net, Message: Please take a look. Description: Avoid clickjacking. Update the builtin and legacy servers to send the proper X-Frame-Options header so that iframing is denied from extraneous origins. The legacy server has been update to ensure clickjacking is not possible on jujucharms.com. Tests: `make unittest`. QA: - juju bootstrap an environment; - run `make deploy`; - wait for the GUI to be ready/started; - open the GUI with the browser and log in; - prepare an HTML page like the following, replacing with the address of the GUI in your environment: test clickjacking - open the test page above with the browser, the iframe should be empty; - switch to the legacy server: `juju set juju-gui builtin-server=false`; - wait a minute for the config-changed hook to complete; - open the test page above with the browser, the iframe should be empty; - destroy the environment. https://code.launchpad.net/~frankban/charms/precise/juju-gui/clickjacking/+merge/216280 (do not edit description out of merge proposal) Please review this at https://codereview.appspot.com/88090048/ Affected files (+25, -1 lines): A [revision details] M config/apache-site.template M revision M server/guiserver/handlers.py M server/guiserver/tests/test_handlers.py Index: [revision details] === added file '[revision details]' --- [revision details] 2012-01-01 00:00:00 +0000 +++ [revision details] 2012-01-01 00:00:00 +0000 @@ -0,0 +1,2 @@ +Old revision: