Skip to content
Permalink
Browse files

[WebUI] Avoid clickjacking attacks

  • Loading branch information...
ngosang authored and sledgehammer999 committed Feb 6, 2017
1 parent f9c39e3 commit f5ad04766f4abaa78374ff03704316f8ce04627d
Showing with 6 additions and 1 deletion.
  1. +1 −0 src/base/http/types.h
  2. +5 −1 src/webui/abstractwebapplication.cpp
@@ -43,6 +43,7 @@ namespace Http
const QString HEADER_CONTENT_ENCODING = "Content-Encoding";
const QString HEADER_CONTENT_LENGTH = "Content-Length";
const QString HEADER_CACHE_CONTROL = "Cache-Control";
const QString HEADER_X_FRAME_OPTIONS = "X-Frame-Options";

const QString CONTENT_TYPE_CSS = "text/css; charset=UTF-8";
const QString CONTENT_TYPE_GIF = "image/gif";
@@ -103,7 +103,11 @@ Http::Response AbstractWebApplication::processRequest(const Http::Request &reque
request_ = request;
env_ = env;

clear(); // clear response
// clear response
clear();

// avoid clickjacking attacks
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");

sessionInitialize();
if (!sessionActive() && !isAuthNeeded())

2 comments on commit f5ad047

@carnil

This comment has been minimized.

Copy link

replied Mar 6, 2017

This is CVE-2017-6504

@tbyehl

This comment has been minimized.

Copy link

replied Mar 23, 2017

Sigh. I've been iframing the web UI for years and now it's broken.

Please sign in to comment.
You can’t perform that action at this time.