From 3685bf04d025dbb886014f0e48a71f46945423e7 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Sun, 13 May 2012 13:05:17 +0000
Subject: [PATCH] add X-Frame-Options to console headers
---
.../java/src/org/klomp/snark/web/I2PSnarkServlet.java | 1 +
apps/i2ptunnel/jsp/edit.jsp | 2 ++
apps/i2ptunnel/jsp/index.jsp | 2 ++
apps/i2ptunnel/jsp/wizard.jsp | 2 ++
.../java/src/net/i2p/router/web/CSSHelper.java | 10 ++++++++++
apps/routerconsole/jsp/css.jsi | 4 ++++
apps/susidns/src/jsp/addressbook.jsp | 2 ++
apps/susidns/src/jsp/config.jsp | 2 ++
apps/susidns/src/jsp/details.jsp | 2 ++
apps/susidns/src/jsp/index.jsp | 2 ++
apps/susidns/src/jsp/subscriptions.jsp | 2 ++
apps/susimail/src/src/i2p/susi/webmail/WebMail.java | 1 +
history.txt | 4 ++++
router/java/src/net/i2p/router/RouterVersion.java | 2 +-
14 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 51f8b539a7..9c90639cb9 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -148,6 +148,7 @@ public class I2PSnarkServlet extends DefaultServlet {
_imgPath = _themePath + "images/";
// this is the part after /i2psnark
String path = req.getServletPath();
+ resp.setHeader("X-Frame-Options", "SAMEORIGIN");
// AJAX for mainsection
if ("/.ajax/xhr1.html".equals(path)) {
diff --git a/apps/i2ptunnel/jsp/edit.jsp b/apps/i2ptunnel/jsp/edit.jsp
index 236e600f0b..c61d4de71b 100644
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@@ -1,6 +1,8 @@
<%
// NOTE: Do the header carefully so there is no whitespace before the <?xml... line
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%><%@page pageEncoding="UTF-8"
%><%@page trimDirectiveWhitespaces="true"
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
diff --git a/apps/i2ptunnel/jsp/index.jsp b/apps/i2ptunnel/jsp/index.jsp
index 3f31bdd05b..41adffc7a0 100644
--- a/apps/i2ptunnel/jsp/index.jsp
+++ b/apps/i2ptunnel/jsp/index.jsp
@@ -5,6 +5,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%><%@page pageEncoding="UTF-8"
%><%@page trimDirectiveWhitespaces="true"
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.IndexBean"
diff --git a/apps/i2ptunnel/jsp/wizard.jsp b/apps/i2ptunnel/jsp/wizard.jsp
index 1e8a8e1a45..d9aeb3873f 100644
--- a/apps/i2ptunnel/jsp/wizard.jsp
+++ b/apps/i2ptunnel/jsp/wizard.jsp
@@ -5,6 +5,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%><%@page pageEncoding="UTF-8"
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
%><?xml version="1.0" encoding="UTF-8"?>
diff --git a/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java b/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
index dc95bf6d17..3dd724b08d 100644
--- a/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
@@ -19,6 +19,7 @@ public class CSSHelper extends HelperBase {
private static final String FORCE = "classic";
public static final String PROP_REFRESH = "routerconsole.summaryRefresh";
public static final String DEFAULT_REFRESH = "60";
+ private static final String PROP_XFRAME = "routerconsole.disableXFrame";
public String getTheme(String userAgent) {
String url = BASE_THEME_PATH;
@@ -58,6 +59,15 @@ public class CSSHelper extends HelperBase {
NewsFetcher.getInstance(_context).showNews(val.equals("1"));
}
+ /**
+ * Should we send X_Frame_Options=SAMEORIGIN
+ * Default true
+ * @since 0.9.1
+ */
+ public boolean shouldSendXFrame() {
+ return !_context.getBooleanProperty(PROP_XFRAME);
+ }
+
/** change refresh and save it */
public void setRefresh(String r) {
_context.router().saveConfig(PROP_REFRESH, r);
diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index 767d0d071e..434b67cae5 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -29,6 +29,10 @@
<jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />
<jsp:setProperty name="intl" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />
<%
+ // clickjacking
+ if (intl.shouldSendXFrame())
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
String conNonceParam = request.getParameter("consoleNonce");
if (conNonceParam != null && conNonceParam.equals(System.getProperty("router.consoleNonce"))) {
intl.setLang(request.getParameter("lang"));
diff --git a/apps/susidns/src/jsp/addressbook.jsp b/apps/susidns/src/jsp/addressbook.jsp
index 3dd298a7f3..fe9666473b 100644
--- a/apps/susidns/src/jsp/addressbook.jsp
+++ b/apps/susidns/src/jsp/addressbook.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/config.jsp b/apps/susidns/src/jsp/config.jsp
index 2f4e2a79d1..a39b52602b 100644
--- a/apps/susidns/src/jsp/config.jsp
+++ b/apps/susidns/src/jsp/config.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/details.jsp b/apps/susidns/src/jsp/details.jsp
index c3f12821f1..3c67305e1d 100644
--- a/apps/susidns/src/jsp/details.jsp
+++ b/apps/susidns/src/jsp/details.jsp
@@ -24,6 +24,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/index.jsp b/apps/susidns/src/jsp/index.jsp
index 1cb170d9df..97b3c920b8 100644
--- a/apps/susidns/src/jsp/index.jsp
+++ b/apps/susidns/src/jsp/index.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/subscriptions.jsp b/apps/susidns/src/jsp/subscriptions.jsp
index 30a15b7dbf..f7b6fa0354 100644
--- a/apps/susidns/src/jsp/subscriptions.jsp
+++ b/apps/susidns/src/jsp/subscriptions.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
index b7b7c86696..3f73b65332 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@@ -1185,6 +1185,7 @@ public class WebMail extends HttpServlet
{
httpRequest.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
RequestWrapper request = new RequestWrapper( httpRequest );
SessionObject sessionObject = null;
diff --git a/history.txt b/history.txt
index 35f398111d..af1ec21bf7 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,7 @@
+2012-05-13 zzz
+ * Console: Add X-Frame-Options to headers,
+ disable with routerconsole.disableXFrame=true
+
* 2012-05-02 0.9 released
2012-04-26 kytv
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index a411b00998..87e5bffca0 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
- public final static long BUILD = 0;
+ public final static long BUILD = 1;
/** for example "-test" */
public final static String EXTRA = "";
--
GitLab