Legacy issue tracker

You are currently viewing the legacy bug tracker for MediaGoblin. We have now switched to code hosting and issue tracking at SourceHut.

This legacy issue tracker remains available to allow us to reference old issues. If you find a ticket here which is still relevant, please feel free to continue the discussion. For new issues, please use SourceHut.

Context Navigation

← Previous Ticket
Next Ticket →

Opened 9 years ago

Last modified 6 years ago

#5404 review defect

X-Frame-Options for admin/moderator views

Reported by:	Matt Molyneaux	Owned by:
Priority:	major	Milestone:
Component:	programming	Keywords:
Cc:		Parent Tickets:

Description

Currently Mediagoblin doesn't do anything to prevent clickjacking.

Setting X-Frame-Options: SAMEORIGIN in responses for those views would protect against this attack.

Change History (3)

comment:1 by ayleph, 7 years ago

Here's a first stab at this using a meddleware class to set X-Frame-Options = SAMEORIGIN for all views. A better solution would would probably use decorators to set X-Frame-Options headers on specific views as mentioned in the ticket title.

diff --git a/mediagoblin/meddleware/__init__.py b/mediagoblin/meddleware/__init__.py
index 886c9ad9..7c520b0c 100644
--- a/mediagoblin/meddleware/__init__.py
+++ b/mediagoblin/meddleware/__init__.py
@@ -16,6 +16,7 @@
 
 ENABLED_MEDDLEWARE = [
     'mediagoblin.meddleware.csrf:CsrfMeddleware',
+    'mediagoblin.meddleware.xframeoptions:XFrameOptionsMeddleware',
     ]
 
 
diff --git a/mediagoblin/meddleware/xframeoptions.py b/mediagoblin/meddleware/xframeoptions.py
new file mode 100644
index 00000000..d82cab24
--- /dev/null
+++ b/mediagoblin/meddleware/xframeoptions.py
@@ -0,0 +1,22 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from mediagoblin.meddleware import BaseMeddleware
+
+
+class XFrameOptionsMeddleware(BaseMeddleware):
+    def process_response(self, request, response):
+        response.headers.set('X-Frame-Options', 'SAMEORIGIN')

Last edited 7 years ago by ayleph (previous) (diff)

comment:2 by ayleph, 7 years ago

Status:	new → accepted

comment:3 by ShawnRisk, 6 years ago

Status:	accepted → review

Note: See TracTickets for help on using tickets.

Download in other formats: