The web interface now protects against frame "click-jacking" attacks (STR #4492)

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12219 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/CHANGES-2.0.txt b/CHANGES-2.0.txt
index 17455f62008384384bb8076638ff55b09e3021cf..721007b5e4901961ef02ceb91e80d78298653111 100644 (file)
--- a/CHANGES-2.0.txt
+++ b/CHANGES-2.0.txt
@@ -8,6 +8,8 @@ CHANGES IN CUPS V2.0.1
        - Printer sharing did not work when systemd was being used (STR #4497)
        - cupsGetPPD* would return a symlink to the PPD in /etc/cups/ppd even if
          it was not readable by the user (STR #4500)
+       - The web interface now protects against frame "click-jacking" attacks
+         (STR #4492)
        - Fixed a crash in ippAttributeString (<rdar://problem/17903871>)
        - RPMs did not build (STR #4490)
 

diff --git a/cups/http.c b/cups/http.c
index 4e1729fd8e228e9ec562db86bfd499a45fdf1c72..dfcd759ac86267e7738ded23d4418b236bf7a585 100644 (file)
--- a/cups/http.c
+++ b/cups/http.c
@@ -3611,6 +3611,17 @@ httpWriteResponse(http_t        *http,   /* I - HTTP connection */
        return (-1);
       }
     }
+
+   /*
+    * "Click-jacking" defense (STR #4492)...
+    */
+
+    if (httpPrintf(http, "X-Frame-Options: DENY\r\n"
+                         "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1)
+    {
+      http->status = HTTP_STATUS_ERROR;
+      return (-1);
+    }
   }
 
   if (httpWrite2(http, "\r\n", 2) < 2)

diff --git a/templates/es/header.tmpl.in b/templates/es/header.tmpl.in
index 0449661572777adb33ad5846ba0c6fcbb365e2b0..a6df94cfb9cf77c34dda255a77c328d352a5cd4f 100644 (file)
--- a/templates/es/header.tmpl.in
+++ b/templates/es/header.tmpl.in
@@ -8,7 +8,15 @@
     {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:}
     <meta http-equiv="X-UA-Compatible" content="IE=9">
     <meta name="viewport" content="width=device-width">
+    <style>html{display:none;}</style>
     <script type="text/javascript"><!--
+      /* Only display document if we are not in a frame... */
+      if (self == top) {
+        document.documentElement.style.display = 'block';
+      } else {
+        top.location = self.location;
+      }
+
       /* Show an error if cookies are disabled */
       function check_cookies() {
        if (!navigator.cookieEnabled) {

diff --git a/templates/header.tmpl.in b/templates/header.tmpl.in
index e41da576b4f135bc906eef416d0adb6ea0eb9398..a4beb53dfb6d41b9cc882de81f73989558e47c4c 100644 (file)
--- a/templates/header.tmpl.in
+++ b/templates/header.tmpl.in
@@ -8,7 +8,15 @@
     {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:}
     <meta http-equiv="X-UA-Compatible" content="IE=9">
     <meta name="viewport" content="width=device-width">
+    <style>html{display:none;}</style>
     <script type="text/javascript"><!--
+      /* Only display document if we are not in a frame... */
+      if (self == top) {
+        document.documentElement.style.display = 'block';
+      } else {
+        top.location = self.location;
+      }
+
       /* Show an error if cookies are disabled */
       function check_cookies() {
        if (!navigator.cookieEnabled) {