diff options
author | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2014-10-20 21:59:33 +0000 |
---|---|---|
committer | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2014-10-20 21:59:33 +0000 |
commit | 241474b0d9e8cd99b440f38890bcb78eaac34b74 (patch) | |
tree | 7d64e5be0404dedea9e0f39d41c17936c2e77945 | |
parent | 9b9c3de281cf9178802d480453ce223ba9849214 (diff) |
The web interface now protects against frame "click-jacking" attacks (STR #4492)
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12219 a1ca3aef-8c08-0410-bb20-df032aa958be
-rw-r--r-- | CHANGES-2.0.txt | 2 | ||||
-rw-r--r-- | cups/http.c | 11 | ||||
-rw-r--r-- | templates/es/header.tmpl.in | 8 | ||||
-rw-r--r-- | templates/header.tmpl.in | 8 |
4 files changed, 29 insertions, 0 deletions
diff --git a/CHANGES-2.0.txt b/CHANGES-2.0.txt index 17455f620..721007b5e 100644 --- a/CHANGES-2.0.txt +++ b/CHANGES-2.0.txt @@ -8,6 +8,8 @@ CHANGES IN CUPS V2.0.1 - Printer sharing did not work when systemd was being used (STR #4497) - cupsGetPPD* would return a symlink to the PPD in /etc/cups/ppd even if it was not readable by the user (STR #4500) + - The web interface now protects against frame "click-jacking" attacks + (STR #4492) - Fixed a crash in ippAttributeString (<rdar://problem/17903871>) - RPMs did not build (STR #4490) diff --git a/cups/http.c b/cups/http.c index 4e1729fd8..dfcd759ac 100644 --- a/cups/http.c +++ b/cups/http.c @@ -3611,6 +3611,17 @@ httpWriteResponse(http_t *http, /* I - HTTP connection */ return (-1); } } + + /* + * "Click-jacking" defense (STR #4492)... + */ + + if (httpPrintf(http, "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1) + { + http->status = HTTP_STATUS_ERROR; + return (-1); + } } if (httpWrite2(http, "\r\n", 2) < 2) diff --git a/templates/es/header.tmpl.in b/templates/es/header.tmpl.in index 044966157..a6df94cfb 100644 --- a/templates/es/header.tmpl.in +++ b/templates/es/header.tmpl.in @@ -8,7 +8,15 @@ {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:} <meta http-equiv="X-UA-Compatible" content="IE=9"> <meta name="viewport" content="width=device-width"> + <style>html{display:none;}</style> <script type="text/javascript"><!-- + /* Only display document if we are not in a frame... */ + if (self == top) { + document.documentElement.style.display = 'block'; + } else { + top.location = self.location; + } + /* Show an error if cookies are disabled */ function check_cookies() { if (!navigator.cookieEnabled) { diff --git a/templates/header.tmpl.in b/templates/header.tmpl.in index e41da576b..a4beb53df 100644 --- a/templates/header.tmpl.in +++ b/templates/header.tmpl.in @@ -8,7 +8,15 @@ {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:} <meta http-equiv="X-UA-Compatible" content="IE=9"> <meta name="viewport" content="width=device-width"> + <style>html{display:none;}</style> <script type="text/javascript"><!-- + /* Only display document if we are not in a frame... */ + if (self == top) { + document.documentElement.style.display = 'block'; + } else { + top.location = self.location; + } + /* Show an error if cookies are disabled */ function check_cookies() { if (!navigator.cookieEnabled) { |