Opened 9 years ago

Last modified 6 years ago

#5404 review defect

X-Frame-Options for admin/moderator views

Reported by: Matt Molyneaux Owned by:
Priority: major Milestone:
Component: programming Keywords:
Cc: Parent Tickets:

Description

Currently Mediagoblin doesn't do anything to prevent clickjacking.

Setting X-Frame-Options: SAMEORIGIN in responses for those views would protect against this attack.

Change History (3)

comment:1 by ayleph, 7 years ago

Here's a first stab at this using a meddleware class to set X-Frame-Options = SAMEORIGIN for all views. A better solution would would probably use decorators to set X-Frame-Options headers on specific views as mentioned in the ticket title.

diff --git a/mediagoblin/meddleware/__init__.py b/mediagoblin/meddleware/__init__.py
index 886c9ad9..7c520b0c 100644
--- a/mediagoblin/meddleware/__init__.py
+++ b/mediagoblin/meddleware/__init__.py
@@ -16,6 +16,7 @@
 
 ENABLED_MEDDLEWARE = [
     'mediagoblin.meddleware.csrf:CsrfMeddleware',
+    'mediagoblin.meddleware.xframeoptions:XFrameOptionsMeddleware',
     ]
 
 
diff --git a/mediagoblin/meddleware/xframeoptions.py b/mediagoblin/meddleware/xframeoptions.py
new file mode 100644
index 00000000..d82cab24
--- /dev/null
+++ b/mediagoblin/meddleware/xframeoptions.py
@@ -0,0 +1,22 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from mediagoblin.meddleware import BaseMeddleware
+
+
+class XFrameOptionsMeddleware(BaseMeddleware):
+    def process_response(self, request, response):
+        response.headers.set('X-Frame-Options', 'SAMEORIGIN')
Last edited 7 years ago by ayleph (previous) (diff)

comment:2 by ayleph, 7 years ago

Status: newaccepted

comment:3 by ShawnRisk, 6 years ago

Status: acceptedreview
Note: See TracTickets for help on using tickets.