summaryrefslogtreecommitdiffstats
path: root/api/context.go
diff options
context:
space:
mode:
Diffstat (limited to 'api/context.go')
-rw-r--r--api/context.go11
1 files changed, 7 insertions, 4 deletions
diff --git a/api/context.go b/api/context.go
index 6976feb8f..9a2f9b9ea 100644
--- a/api/context.go
+++ b/api/context.go
@@ -68,6 +68,10 @@ func UserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Han
return &handler{h, true, false, false, false, false, false}
}
+func AppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
+ return &handler{h, false, false, false, false, false, true}
+}
+
func ApiAdminSystemRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &handler{h, true, true, true, false, false, false}
}
@@ -102,7 +106,6 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
c.RequestId = model.NewId()
c.IpAddress = GetIpAddress(r)
c.TeamId = mux.Vars(r)["team_id"]
- h.isApi = IsApiCall(r)
token := ""
isTokenFromQueryString := false
@@ -147,10 +150,10 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId)
w.Header().Set(model.HEADER_VERSION_ID, fmt.Sprintf("%v.%v", model.CurrentVersion, utils.CfgLastModified))
- // Instruct the browser not to display us in an iframe for anti-clickjacking
+ // Instruct the browser not to display us in an iframe unless is the same origin for anti-clickjacking
if !h.isApi {
- w.Header().Set("X-Frame-Options", "DENY")
- w.Header().Set("Content-Security-Policy", "frame-ancestors 'none'")
+ w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+ w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'")
} else {
// All api response bodies will be JSON formatted by default
w.Header().Set("Content-Type", "application/json")
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-06-02 09:00:04 +0000