[WebUI] Avoid clickjacking attacks

qbittorrent · Mar 3, 2017 · f5ad047 · f5ad047 · carnil · Mar 6, 2017
1 parent f9c39e3
commit f5ad047
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/src/base/http/types.h b/src/base/http/types.h
@@ -43,6 +43,7 @@ namespace Http
     const QString HEADER_CONTENT_ENCODING = "Content-Encoding";
     const QString HEADER_CONTENT_LENGTH = "Content-Length";
     const QString HEADER_CACHE_CONTROL = "Cache-Control";
+    const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options";
 
     const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8";
     const QString CONTENT_TYPE_GIF = "image/gif";

diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp
@@ -103,7 +103,11 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
     request_ = request;
     env_ = env;
 
-    clear(); // clear response
+    // clear response
+    clear();
+
+    // avoid clickjacking attacks
+    header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
 
     sessionInitialize();
     if (!sessionActive() && !isAuthNeeded())