From ce2cf5b4e8c8fbd5df203787f94b781a95066057 Mon Sep 17 00:00:00 2001
From: nickago <ngonella@calpoly.edu>
Date: Mon, 27 Jul 2015 11:59:14 -0700
Subject: Limited the added headers to only non-api calls

---
 api/context.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'api/context.go')

diff --git a/api/context.go b/api/context.go
index 036128a00..16da0a6eb 100644
--- a/api/context.go
+++ b/api/context.go
@@ -100,8 +100,12 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId)
 	w.Header().Set(model.HEADER_VERSION_ID, utils.Cfg.ServiceSettings.Version)
-	w.Header().Set("X-FRAME-OPTIONS", "DENY")
-	w.Header().Set("Content-Security-Policy", "frame-ancestors none")
+
+	// Instruct the browser not to display us in an iframe for anti-clickjacking
+	if !h.isApi {
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("Content-Security-Policy", "frame-ancestors none")
+	}
 
 	sessionId := ""
 
-- 
cgit v1.2.3-1-g7c22