Skip to content

Commit

Permalink
[FIX] web: no frames on login/preferences screen
Browse files Browse the repository at this point in the history 
We generally consider this a low priority issue
as it is social-engineering based and many easier
options exist for targeting gullible users.
Nevertheless, protecting a couple of obvious pages
does not hurt.
  • Loading branch information
@odony
odony committed Mar 27, 2017
1 parent 4d7d234 commit 6d16915
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 4 deletions.
4 changes: 3 additions & 1 deletion addons/auth_signup/controllers/main.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,9 @@ def web_auth_reset_password(self, *args, **kw):
except Exception, e:
qcontext['error'] = e.message or e.name

return request.render('auth_signup.reset_password', qcontext)
response = request.render('auth_signup.reset_password', qcontext)
response.headers['X-Frame-Options'] = 'DENY'
return response

def get_auth_signup_config(self):
"""retrieve the module config (which features are enabled) for the login page"""
Expand Down
8 changes: 6 additions & 2 deletions addons/web/controllers/main.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,9 @@ def web_client(self, s_action=None, **kw):
request.uid = request.session.uid
context = request.env['ir.http'].webclient_rendering_context()

return request.render('web.webclient_bootstrap', qcontext=context)
response = request.render('web.webclient_bootstrap', qcontext=context)
response.headers['X-Frame-Options'] = 'DENY'
return response

@http.route('/web/dbredirect', type='http', auth="none")
def web_db_redirect(self, redirect='/', **kw):
Expand Down Expand Up @@ -473,7 +475,9 @@ def web_login(self, redirect=None, **kw):
return http.redirect_with_hash(redirect)
request.uid = old_uid
values['error'] = _("Wrong login/password")
return request.render('web.login', values)
response = request.render('web.login', values)
response.headers['X-Frame-Options'] = 'DENY'
return response


class WebClient(http.Controller):
Expand Down
4 changes: 3 additions & 1 deletion addons/website_portal/controllers/main.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,9 @@ def details(self, redirect=None, **post):
'redirect': redirect,
})

return request.render("website_portal.details", values)
response = request.render("website_portal.details", values)
response.headers['X-Frame-Options'] = 'DENY'
return response

def details_form_validate(self, data):
error = dict()
Expand Down

0 comments on commit 6d16915

Please sign in to comment.