From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Date: Mon, 20 Oct 2014 21:59:33 +0000 (+0000)
Subject: The web interface now protects against frame "click-jacking" attacks (STR #4492)
X-Git-Tag: v2.2b1~457
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=241474b0d9e8cd99b440f38890bcb78eaac34b74;p=thirdparty%2Fcups.git

The web interface now protects against frame "click-jacking" attacks (STR #4492)



git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12219 a1ca3aef-8c08-0410-bb20-df032aa958be
---

diff --git a/CHANGES-2.0.txt b/CHANGES-2.0.txt
index 17455f6200..721007b5e4 100644
--- a/CHANGES-2.0.txt
+++ b/CHANGES-2.0.txt
@@ -8,6 +8,8 @@ CHANGES IN CUPS V2.0.1
 	- Printer sharing did not work when systemd was being used (STR #4497)
 	- cupsGetPPD* would return a symlink to the PPD in /etc/cups/ppd even if
 	  it was not readable by the user (STR #4500)
+	- The web interface now protects against frame "click-jacking" attacks
+	  (STR #4492)
 	- Fixed a crash in ippAttributeString (<rdar://problem/17903871>)
 	- RPMs did not build (STR #4490)
 
diff --git a/cups/http.c b/cups/http.c
index 4e1729fd8e..dfcd759ac8 100644
--- a/cups/http.c
+++ b/cups/http.c
@@ -3611,6 +3611,17 @@ httpWriteResponse(http_t        *http,	/* I - HTTP connection */
 	return (-1);
       }
     }
+
+   /*
+    * "Click-jacking" defense (STR #4492)...
+    */
+
+    if (httpPrintf(http, "X-Frame-Options: DENY\r\n"
+                         "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1)
+    {
+      http->status = HTTP_STATUS_ERROR;
+      return (-1);
+    }
   }
 
   if (httpWrite2(http, "\r\n", 2) < 2)
diff --git a/templates/es/header.tmpl.in b/templates/es/header.tmpl.in
index 0449661572..a6df94cfb9 100644
--- a/templates/es/header.tmpl.in
+++ b/templates/es/header.tmpl.in
@@ -8,7 +8,15 @@
     {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:}
     <meta http-equiv="X-UA-Compatible" content="IE=9">
     <meta name="viewport" content="width=device-width">
+    <style>html{display:none;}</style>
     <script type="text/javascript"><!--
+      /* Only display document if we are not in a frame... */
+      if (self == top) {
+        document.documentElement.style.display = 'block';
+      } else {
+        top.location = self.location;
+      }
+
       /* Show an error if cookies are disabled */
       function check_cookies() {
 	if (!navigator.cookieEnabled) {
diff --git a/templates/header.tmpl.in b/templates/header.tmpl.in
index e41da576b4..a4beb53dfb 100644
--- a/templates/header.tmpl.in
+++ b/templates/header.tmpl.in
@@ -8,7 +8,15 @@
     {refresh_page?<meta http-equiv="refresh" content="{refresh_page}">:}
     <meta http-equiv="X-UA-Compatible" content="IE=9">
     <meta name="viewport" content="width=device-width">
+    <style>html{display:none;}</style>
     <script type="text/javascript"><!--
+      /* Only display document if we are not in a frame... */
+      if (self == top) {
+        document.documentElement.style.display = 'block';
+      } else {
+        top.location = self.location;
+      }
+
       /* Show an error if cookies are disabled */
       function check_cookies() {
 	if (!navigator.cookieEnabled) {