Specify response header X-Frame-Options SAMEORIGIN for generated pages

author James Moger <james.moger@gitblit.com>

Fri, 5 Sep 2014 19:32:04 +0000 (15:32 -0400)

committer James Moger <james.moger@gitblit.com>

Fri, 5 Sep 2014 19:32:04 +0000 (15:32 -0400)
author James Moger <james.moger@gitblit.com>
Fri, 5 Sep 2014 19:32:04 +0000 (15:32 -0400)
committer James Moger <james.moger@gitblit.com>
Fri, 5 Sep 2014 19:32:04 +0000 (15:32 -0400)
diff --git a/src/main/java/com/gitblit/wicket/pages/BasePage.java b/src/main/java/com/gitblit/wicket/pages/BasePage.java

index 49710397d91512b77f666c305c879d5aa259ec94..b454b7a8725493ff4ed6fadf8a463ce5c2b850cf 100644 (file)
--- a/src/main/java/com/gitblit/wicket/pages/BasePage.java
+++ b/src/main/java/com/gitblit/wicket/pages/BasePage.java
@@ -166,6 +166,9 @@ public abstract class BasePage extends SessionPage {
                         // use default Wicket caching behavior\r
                         super.setHeaders(response);\r
                 }\r
+\r
+               // XRF vulnerability. issue-500 / ticket-166\r
+               response.setHeader("X-Frame-Options", "SAMEORIGIN");\r
         }\r
  \r
         /**\r
author	James Moger <james.moger@gitblit.com>
	Fri, 5 Sep 2014 19:32:04 +0000 (15:32 -0400)
committer	James Moger <james.moger@gitblit.com>
	Fri, 5 Sep 2014 19:32:04 +0000 (15:32 -0400)