From 5bc3cea6fe4a909735753692d0c4cd960e8ab516 Mon Sep 17 00:00:00 2001 From: enahum Date: Wed, 3 Aug 2016 12:19:27 -0500 Subject: PLT-3484 OAuth2 Service Provider (#3632) * PLT-3484 OAuth2 Service Provider * PM text review for OAuth 2.0 Service Provider * PLT-3484 OAuth2 Service Provider UI tweaks (#3668) * Tweaks to help text * Pushing OAuth improvements (#3680) * Re-arrange System Console for OAuth 2.0 Provider --- api/context.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'api/context.go') diff --git a/api/context.go b/api/context.go index 6976feb8f..9a2f9b9ea 100644 --- a/api/context.go +++ b/api/context.go @@ -68,6 +68,10 @@ func UserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Han return &handler{h, true, false, false, false, false, false} } +func AppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { + return &handler{h, false, false, false, false, false, true} +} + func ApiAdminSystemRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { return &handler{h, true, true, true, false, false, false} } @@ -102,7 +106,6 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { c.RequestId = model.NewId() c.IpAddress = GetIpAddress(r) c.TeamId = mux.Vars(r)["team_id"] - h.isApi = IsApiCall(r) token := "" isTokenFromQueryString := false @@ -147,10 +150,10 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId) w.Header().Set(model.HEADER_VERSION_ID, fmt.Sprintf("%v.%v", model.CurrentVersion, utils.CfgLastModified)) - // Instruct the browser not to display us in an iframe for anti-clickjacking + // Instruct the browser not to display us in an iframe unless is the same origin for anti-clickjacking if !h.isApi { - w.Header().Set("X-Frame-Options", "DENY") - w.Header().Set("Content-Security-Policy", "frame-ancestors 'none'") + w.Header().Set("X-Frame-Options", "SAMEORIGIN") + w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'") } else { // All api response bodies will be JSON formatted by default w.Header().Set("Content-Type", "application/json") -- cgit v1.2.3-1-g7c22