diff options
| -rw-r--r-- | CHANGES-2.0.txt | 2 | ||||
| -rw-r--r-- | cups/http.c | 11 | ||||
| -rw-r--r-- | templates/es/header.tmpl.in | 8 | ||||
| -rw-r--r-- | templates/header.tmpl.in | 8 |
4 files changed, 29 insertions, 0 deletions
diff --git a/CHANGES-2.0.txt b/CHANGES-2.0.txt index 17455f620..721007b5e 100644 --- a/CHANGES-2.0.txt +++ b/CHANGES-2.0.txt @@ -8,6 +8,8 @@ CHANGES IN CUPS V2.0.1 - Printer sharing did not work when systemd was being used (STR #4497) - cupsGetPPD* would return a symlink to the PPD in /etc/cups/ppd even if it was not readable by the user (STR #4500) + - The web interface now protects against frame "click-jacking" attacks + (STR #4492) - Fixed a crash in ippAttributeString (<rdar://problem/17903871>) - RPMs did not build (STR #4490) diff --git a/cups/http.c b/cups/http.c index 4e1729fd8..dfcd759ac 100644 --- a/cups/http.c +++ b/cups/http.c @@ -3611,6 +3611,17 @@ httpWriteResponse(http_t *http, /* I - HTTP connection */ return (-1); } } + + /* + * "Click-jacking" defense (STR #4492)... + */ + + if (httpPrintf(http, "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1) + { + http->status = HTTP_STATUS_ERROR; + return (-1); + } } if (httpWrite2(http, "\r\n", 2) < 2) diff --git a/templates/es/header.tmpl.in b/templates/es/header.tmpl.in index 044966157..a6df94cfb 100644 --- a/templates/es/header.tmpl.in +++ b/templates/es/header.tmpl.in @@ -8,7 +8,15 @@ {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:} <meta http-equiv="X-UA-Compatible" content="IE=9"> <meta name="viewport" content="width=device-width"> + <style>html{display:none;}</style> <script type="text/javascript"><!-- + /* Only display document if we are not in a frame... */ + if (self == top) { + document.documentElement.style.display = 'block'; + } else { + top.location = self.location; + } + /* Show an error if cookies are disabled */ function check_cookies() { if (!navigator.cookieEnabled) { diff --git a/templates/header.tmpl.in b/templates/header.tmpl.in index e41da576b..a4beb53df 100644 --- a/templates/header.tmpl.in +++ b/templates/header.tmpl.in @@ -8,7 +8,15 @@ {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:} <meta http-equiv="X-UA-Compatible" content="IE=9"> <meta name="viewport" content="width=device-width"> + <style>html{display:none;}</style> <script type="text/javascript"><!-- + /* Only display document if we are not in a frame... */ + if (self == top) { + document.documentElement.style.display = 'block'; + } else { + top.location = self.location; + } + /* Show an error if cookies are disabled */ function check_cookies() { if (!navigator.cookieEnabled) { |