-
Committer:
Francesco Banconi
-
Date:
2014-04-18 10:51:37 UTC
-
mfrom:
(181.1.3 clickjacking)
-
Revision ID:
francesco.banconi@canonical.com-20140418105137-mnrwhacf0kcw4261
Avoid clickjacking.
Update the builtin and legacy servers to send
the proper X-Frame-Options header so that
iframing is denied from extraneous origins.
The legacy server has been update to ensure
clickjacking is not possible on jujucharms.com.
Tests: `make unittest`.
QA:
- juju bootstrap an environment;
- run `make deploy`;
- wait for the GUI to be ready/started;
- open the GUI with the browser and log in;
- prepare an HTML page like the following, replacing
<GUI UNIT HOSTNAME> with the address of the GUI in
your environment:
<!DOCTYPE html>
<html>
<head>
<title>test clickjacking</title>
</head>
<body>
<iframe src="https://<GUI UNIT HOSTNAME>"
height="800" width="1000"></iframe>
</body>
</html>
- open the test page above with the browser,
the iframe should be empty;
- switch to the legacy server:
`juju set juju-gui builtin-server=false`;
- wait a minute for the config-changed hook
to complete;
- open the test page above with the browser,
the iframe should be empty;
- destroy the environment.
R=jeff.pihach
CC=
https://codereview.appspot.com/88090048