Fossil SCM
Add the X-Frame-Options: DENY header to HTTP responses, and a comment lamenting that two other helpful security headers can't really be used without breaking things.
Commit
95f04bbfbf9bd8ccb4ed2e8793bf8cacf773e668
Parent
e4b57a32303398a…
1 file changed
+18
+18
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -293,10 +293,28 @@ | ||
| 293 | 293 | } |
| 294 | 294 | |
| 295 | 295 | if( blob_size(&extraHeader)>0 ){ |
| 296 | 296 | fprintf(g.httpOut, "%s", blob_buffer(&extraHeader)); |
| 297 | 297 | } |
| 298 | + | |
| 299 | + /* Add headers to turn on useful security options in browsers. */ | |
| 300 | + fprintf(g.httpOut, "X-Frame-Options: DENY\r\n"); | |
| 301 | + /* This stops fossil pages appearing in frames or iframes, preventing | |
| 302 | + ** click-jacking attacks on supporting browsers. | |
| 303 | + ** | |
| 304 | + ** Other good headers would be | |
| 305 | + ** Strict-Transport-Security: max-age=62208000 | |
| 306 | + ** if we're using https. However, this would break sites which serve different | |
| 307 | + ** content on http and https protocols. Also, | |
| 308 | + ** X-Content-Security-Policy: allow 'self' | |
| 309 | + ** would help mitigate some XSS and data injection attacks, but will break | |
| 310 | + ** deliberate inclusion of external resources, such as JavaScript syntax | |
| 311 | + ** highlighter scripts. | |
| 312 | + ** | |
| 313 | + ** These headers are probably best added by the web server hosting fossil as | |
| 314 | + ** a CGI script. | |
| 315 | + */ | |
| 298 | 316 | |
| 299 | 317 | if( g.isConst ){ |
| 300 | 318 | /* constant means that the input URL will _never_ generate anything |
| 301 | 319 | ** else. In the case of attachments, the contents won't change because |
| 302 | 320 | ** an attempt to change them generates a new attachment number. In the |
| 303 | 321 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -293,10 +293,28 @@ | |
| 293 | } |
| 294 | |
| 295 | if( blob_size(&extraHeader)>0 ){ |
| 296 | fprintf(g.httpOut, "%s", blob_buffer(&extraHeader)); |
| 297 | } |
| 298 | |
| 299 | if( g.isConst ){ |
| 300 | /* constant means that the input URL will _never_ generate anything |
| 301 | ** else. In the case of attachments, the contents won't change because |
| 302 | ** an attempt to change them generates a new attachment number. In the |
| 303 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -293,10 +293,28 @@ | |
| 293 | } |
| 294 | |
| 295 | if( blob_size(&extraHeader)>0 ){ |
| 296 | fprintf(g.httpOut, "%s", blob_buffer(&extraHeader)); |
| 297 | } |
| 298 | |
| 299 | /* Add headers to turn on useful security options in browsers. */ |
| 300 | fprintf(g.httpOut, "X-Frame-Options: DENY\r\n"); |
| 301 | /* This stops fossil pages appearing in frames or iframes, preventing |
| 302 | ** click-jacking attacks on supporting browsers. |
| 303 | ** |
| 304 | ** Other good headers would be |
| 305 | ** Strict-Transport-Security: max-age=62208000 |
| 306 | ** if we're using https. However, this would break sites which serve different |
| 307 | ** content on http and https protocols. Also, |
| 308 | ** X-Content-Security-Policy: allow 'self' |
| 309 | ** would help mitigate some XSS and data injection attacks, but will break |
| 310 | ** deliberate inclusion of external resources, such as JavaScript syntax |
| 311 | ** highlighter scripts. |
| 312 | ** |
| 313 | ** These headers are probably best added by the web server hosting fossil as |
| 314 | ** a CGI script. |
| 315 | */ |
| 316 | |
| 317 | if( g.isConst ){ |
| 318 | /* constant means that the input URL will _never_ generate anything |
| 319 | ** else. In the case of attachments, the contents won't change because |
| 320 | ** an attempt to change them generates a new attachment number. In the |
| 321 |