OSP/Web: added support for X-Frame-Options header

macchina-io · Jun 8, 2020 · 8604450 · 8604450
1 parent 037f15e
commit 8604450
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/platform/OSP/Web/doc/01000-OSPWeb.page b/platform/OSP/Web/doc/01000-OSPWeb.page
@@ -381,7 +381,11 @@ The web server can be configured by setting the following properties in the glob
   - <[osp.web.xssProtection.mode]>: Specifies the <[mode]> parameter for the <[X-XSS-Protection]> header and
     defaults to "block".
   - <[osp.web.contentTypeOptions]>: Specifies the value of the <[X-Content-Type-Options]> header sent with
-    every HTTP response. Defaults to <[nosniff]>.
+    every HTTP response. Defaults to <[nosniff]>. Can be set to an empty string to disable
+    this header, which is not recommended.
+  - <[osp.web.frameOptions]>: Specivies the value of the <[X-Frame-Options]> header sent with every
+    HTTP response. Defaults to none (no <[X-Frame-Options]> header sent). Valid values are
+    <[DENY]> and <[SAMEORIGIN]>.
   - <[osp.web.addAuthHeader]>: If set to true (default), and authentication/authorization has been enabled for
     a resource and has been successful, a header named "X-OSP-Authorized-User" containing the
     authenticated and authorized username is added to the Poco::Net::HTTPRequest, for use

diff --git a/platform/OSP/Web/src/WebBundleActivator.cpp b/platform/OSP/Web/src/WebBundleActivator.cpp
@@ -22,6 +22,7 @@
 #include "Poco/OSP/Web/WebServerExtensionPoint.h"
 #include "Poco/OSP/Web/WebFilterExtensionPoint.h"
 #include "Poco/StringTokenizer.h"
+#include "Poco/String.h"
 #include "Poco/Format.h"
 #include "Poco/AutoPtr.h"
 #include "Poco/Delegate.h"
@@ -92,6 +93,7 @@ class WebBundleActivator: public BundleActivator
 		bool xssProtEnable(pContext->thisBundle()->properties().getBool("xssProtection.enable", false));
 		std::string xssProtMode(pContext->thisBundle()->properties().getString("xssProtection.mode", "block"));
 		std::string contentTypeOptions(pContext->thisBundle()->properties().getString("contentTypeOptions", "nosniff"));
+		std::string frameOptions(pContext->thisBundle()->properties().getString("frameOptions", ""));
 		bool addAuthHeader(pContext->thisBundle()->properties().getBool("addAuthHeader", true));
 		bool addSignature(pContext->thisBundle()->properties().getBool("addSignature", true));
 		int authMethods = 0;
@@ -119,6 +121,7 @@ class WebBundleActivator: public BundleActivator
 			xssProtEnable = pPrefsSvc->configuration()->getBool("osp.web.xssProtection.enable", xssProtEnable);
 			xssProtMode = pPrefsSvc->configuration()->getString("osp.web.xssProtection.mode", xssProtMode);
 			contentTypeOptions = pPrefsSvc->configuration()->getString("osp.web.contentTypeOptions", contentTypeOptions);
+			frameOptions = pPrefsSvc->configuration()->getString("osp.web.frameOptions", frameOptions);
 			addAuthHeader = pPrefsSvc->configuration()->getBool("osp.web.addAuthHeader", addAuthHeader);
 			addSignature = pPrefsSvc->configuration()->getBool("osp.web.addSignature", addSignature);
 			authMethods = WebServerDispatcher::parseAuthMethods(pPrefsSvc->configuration()->getString("osp.web.authMethods", ""));
@@ -131,7 +134,7 @@ class WebBundleActivator: public BundleActivator
 		Poco::Net::NameValueCollection customResponseHeaders;
 		if (hstsEnable)
 		{
-			std::string hstsHeader(Poco::format("maxAge=%d", hstsMaxAge));
+			std::string hstsHeader(Poco::format("max-age=%d", hstsMaxAge));
 			if (hstsIncludeSubdomains) hstsHeader += "; includeSubdomains";
 			customResponseHeaders.add("Strict-Transport-Security", hstsHeader);
 		}
@@ -143,6 +146,10 @@ class WebBundleActivator: public BundleActivator
 		{
 			customResponseHeaders.add("X-Content-Type-Options", contentTypeOptions);
 		}
+		if (!frameOptions.empty())
+		{
+			customResponseHeaders.add("X-Frame-Options", Poco::toUpper(frameOptions));
+		}
 
 		WebServerDispatcher::Config config;
 		config.pContext = pContext;