diff options
| -rw-r--r-- | web/templates/head.html | 7 | ||||
| -rw-r--r-- | web/web.go | 32 |
2 files changed, 39 insertions, 0 deletions
diff --git a/web/templates/head.html b/web/templates/head.html index d14340998..7a7d4fe8e 100644 --- a/web/templates/head.html +++ b/web/templates/head.html @@ -36,6 +36,13 @@ <script type="text/javascript" src="https://cloudfront.loggly.com/js/loggly.tracker.js" async></script> <script id="config" type="text/javascript" src="/static/config/config.js"></script> + <style id="antiClickjack">body{display:none !important;}</style> + <script type="text/javascript"> + if (self === top) { + var blocker = document.getElementById("antiClickjack"); + blocker.parentNode.removeChild(blocker); + } + </script> <script> if (config == null) { config = {}; diff --git a/web/web.go b/web/web.go index 1d59ef946..7a2d424aa 100644 --- a/web/web.go +++ b/web/web.go @@ -140,6 +140,9 @@ func root(c *api.Context, w http.ResponseWriter, r *http.Request) { return } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + if len(c.Session.UserId) == 0 { page := NewHtmlTemplatePage("signup_team", "Signup") page.Render(c, w) @@ -156,6 +159,9 @@ func signup(c *api.Context, w http.ResponseWriter, r *http.Request) { return } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("signup_team", "Signup") page.Render(c, w) } @@ -177,6 +183,9 @@ func login(c *api.Context, w http.ResponseWriter, r *http.Request) { team = tResult.Data.(*model.Team) } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + // If we are already logged into this team then go to home if len(c.Session.UserId) != 0 && c.Session.TeamId == team.Id { page := NewHtmlTemplatePage("home", "Home") @@ -195,6 +204,9 @@ func login(c *api.Context, w http.ResponseWriter, r *http.Request) { func signupTeamConfirm(c *api.Context, w http.ResponseWriter, r *http.Request) { email := r.FormValue("email") + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("signup_team_confirm", "Signup Email Sent") page.Props["Email"] = email page.Render(c, w) @@ -217,6 +229,9 @@ func signupTeamComplete(c *api.Context, w http.ResponseWriter, r *http.Request) return } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("signup_team_complete", "Complete Team Sign Up") page.Props["Email"] = props["email"] page.Props["DisplayName"] = props["display_name"] @@ -268,6 +283,9 @@ func signupUserComplete(c *api.Context, w http.ResponseWriter, r *http.Request) } } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("signup_user_complete", "Complete User Sign Up") page.Props["Email"] = props["email"] page.Props["TeamDisplayName"] = props["display_name"] @@ -340,6 +358,9 @@ func getChannel(c *api.Context, w http.ResponseWriter, r *http.Request) { team = tResult.Data.(*model.Team) } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("channel", "") page.Title = name + " - " + team.DisplayName + " " + page.SiteName page.Props["TeamDisplayName"] = team.DisplayName @@ -395,12 +416,17 @@ func verifyEmail(c *api.Context, w http.ResponseWriter, r *http.Request) { isVerified = "false" } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("verify", "Email Verified") page.Props["IsVerified"] = isVerified page.Render(c, w) } func findTeam(c *api.Context, w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") page := NewHtmlTemplatePage("find_team", "Find Team") page.Render(c, w) } @@ -442,6 +468,9 @@ func resetPassword(c *api.Context, w http.ResponseWriter, r *http.Request) { teamDisplayName = team.DisplayName } + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("password_reset", "") page.Title = "Reset Password - " + page.SiteName page.Props["TeamDisplayName"] = teamDisplayName @@ -551,6 +580,9 @@ func signupCompleteOAuth(c *api.Context, w http.ResponseWriter, r *http.Request) user.TeamId = team.Id + w.Header().Set("X-FRAME-OPTIONS", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + page := NewHtmlTemplatePage("signup_user_oauth", "Complete User Sign Up") page.Props["User"] = user.ToJson() page.Props["TeamName"] = team.Name |