clickjacking protection: set X-Frame-Options SAMEORIGIN, RT#39607

[freeside.git] / FS / FS / Mason / Request.pm

diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm
index 022ff8e..537ba2d 100644 (file)
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -65,6 +65,10 @@ sub freeside_setup {
             if fileno(STDOUT) != 1;
     }
 
+    FS::Trace->log('    adding headers');
+    #frame-ancestors not supported by all the major browsers yet
+    $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+
     if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
 
       FS::Trace->log('    handling RT REST/NoAuth file');