Fossil

Check-in [b968f023]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Change X-Frame-Options to SAMEORIGIN to give reasonable click-jacking protection without blocking some client side scripting currently in use by some fossil users.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:b968f023a88a6af5c7bcb6e499c42e3173a8e32e
User & Date: ben 2011-08-10 15:54:38
Context
2011-08-12
11:54
When forcing a rollback following an error, reset all SQL statement first so that the rollback can be successful. check-in: 9515143d user: drh tags: trunk
2011-08-10
15:54
Change X-Frame-Options to SAMEORIGIN to give reasonable click-jacking protection without blocking some client side scripting currently in use by some fossil users. check-in: b968f023 user: ben tags: trunk
2011-08-07
22:52
Fix a (harmless) javascript error that occurs when the graph is empty. check-in: 303dd442 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/cgi.c.

293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
  }

  if( blob_size(&extraHeader)>0 ){
    fprintf(g.httpOut, "%s", blob_buffer(&extraHeader));
  }

  /* Add headers to turn on useful security options in browsers. */
  fprintf(g.httpOut, "X-Frame-Options: DENY\r\n");
  /* This stops fossil pages appearing in frames or iframes, preventing
  ** click-jacking attacks on supporting browsers.
  **
  ** Other good headers would be
  **   Strict-Transport-Security: max-age=62208000
  ** if we're using https. However, this would break sites which serve different
  ** content on http and https protocols. Also,







|







293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
  }

  if( blob_size(&extraHeader)>0 ){
    fprintf(g.httpOut, "%s", blob_buffer(&extraHeader));
  }

  /* Add headers to turn on useful security options in browsers. */
  fprintf(g.httpOut, "X-Frame-Options: SAMEORIGIN\r\n");
  /* This stops fossil pages appearing in frames or iframes, preventing
  ** click-jacking attacks on supporting browsers.
  **
  ** Other good headers would be
  **   Strict-Transport-Security: max-age=62208000
  ** if we're using https. However, this would break sites which serve different
  ** content on http and https protocols. Also,