diff options
author | nickago <ngonella@calpoly.edu> | 2015-07-27 11:59:14 -0700 |
---|---|---|
committer | nickago <ngonella@calpoly.edu> | 2015-07-27 14:39:55 -0700 |
commit | ce2cf5b4e8c8fbd5df203787f94b781a95066057 (patch) | |
tree | 4d9b1f9f4e44255f96b07907e056509afc843dbb /api/context.go | |
parent | 18d160bec53c36b604900506a461598a7082ff9b (diff) | |
download | chat-ce2cf5b4e8c8fbd5df203787f94b781a95066057.tar.gz chat-ce2cf5b4e8c8fbd5df203787f94b781a95066057.tar.bz2 chat-ce2cf5b4e8c8fbd5df203787f94b781a95066057.zip |
Limited the added headers to only non-api calls
Diffstat (limited to 'api/context.go')
-rw-r--r-- | api/context.go | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/api/context.go b/api/context.go index 036128a00..16da0a6eb 100644 --- a/api/context.go +++ b/api/context.go @@ -100,8 +100,12 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId) w.Header().Set(model.HEADER_VERSION_ID, utils.Cfg.ServiceSettings.Version) - w.Header().Set("X-FRAME-OPTIONS", "DENY") - w.Header().Set("Content-Security-Policy", "frame-ancestors none") + + // Instruct the browser not to display us in an iframe for anti-clickjacking + if !h.isApi { + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + } sessionId := "" |