Author: rfm Date: Wed Apr 19 14:20:03 2017 New Revision: 40487 URL: http://svn.gna.org/viewcvs/gnustep?rev=40487&view=rev Log: Add WebServerFrameOptions
Modified: libs/webserver/trunk/ChangeLog libs/webserver/trunk/Internal.h libs/webserver/trunk/WebServer.h libs/webserver/trunk/WebServer.m libs/webserver/trunk/WebServerConnection.m Modified: libs/webserver/trunk/ChangeLog URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/ChangeLog?rev=40487&r1=40486&r2=40487&view=diff ============================================================================== --- libs/webserver/trunk/ChangeLog (original) +++ libs/webserver/trunk/ChangeLog Wed Apr 19 14:20:03 2017 @@ -1,3 +1,8 @@ +2017-04-19 Richard Frith-Macdonald <r...@gnu.org> + + New WebServerFrameOptions user default (DENY if not set) to sert a + default X-Frame-Options header value for use by all responses. + 2016-10-28 Wolfgang Lux <wolfgang....@gmail.com> * WebServerBundles.m (-dealloc): Unregister from notification Modified: libs/webserver/trunk/Internal.h URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/Internal.h?rev=40487&r1=40486&r2=40487&view=diff ============================================================================== --- libs/webserver/trunk/Internal.h (original) +++ libs/webserver/trunk/Internal.h Wed Apr 19 14:20:03 2017 @@ -100,6 +100,7 @@ NSUInteger maxConnectionRequests; NSTimeInterval maxConnectionDuration; NSSet *permittedMethods; + NSString *frameOptions; } @end Modified: libs/webserver/trunk/WebServer.h URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.h?rev=40487&r1=40486&r2=40487&view=diff ============================================================================== --- libs/webserver/trunk/WebServer.h (original) +++ libs/webserver/trunk/WebServer.h Wed Apr 19 14:20:03 2017 @@ -364,6 +364,14 @@ * class recognises the following defaults keys - * </p> * <deflist> + * <term>WebServerFrameOptions</term> + * <desc>A string defining the frame options setting for responses produced + * by the server (application code can always override this).<br /> + * If this is not defined, the value <code>DENY</code> is used to prevent + * responses from being presented inside frames.<br /> + * If this is defined as an empty string, no X-Frame-Options header is set + * (unless application code explicitly sets the header in the response). + * </desc> * <term>WebServerHosts</term> * <desc>An array of host IP addresses to list the hosts permitted to * send requests to the server. If defined, requests from other hosts @@ -441,6 +449,7 @@ NSLock *_incrementalDataLock; NSMutableDictionary *_incrementalDataMap; NSUInteger _strictTransportSecurity; + NSString *_frameOptions; void *_reserved; } Modified: libs/webserver/trunk/WebServer.m URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.m?rev=40487&r1=40486&r2=40487&view=diff ============================================================================== --- libs/webserver/trunk/WebServer.m (original) +++ libs/webserver/trunk/WebServer.m Wed Apr 19 14:20:03 2017 @@ -2615,6 +2615,8 @@ - (void) _setup { + NSString *s; + _reserved = 0; _nc = [[NSNotificationCenter defaultCenter] retain]; _connectionTimeout = 30.0; @@ -2634,6 +2636,14 @@ _conf->maxConnectionDuration = 10.0; _conf->maxBodySize = 4*1024*1024; _conf->maxRequestSize = 8*1024; + if (nil == (s = [_defs stringForKey: @"WebServerFrameOptions"])) + { + _conf->frameOptions = @"DENY"; + } + else if ([s length] > 0) + { + _conf->frameOptions = [s copy]; + } _maxPerHost = 32; _maxConnections = 128; _substitutionLimit = 4; @@ -2700,6 +2710,7 @@ - (void) dealloc { [permittedMethods release]; + [frameOptions release]; [super dealloc]; } @end Modified: libs/webserver/trunk/WebServerConnection.m URL: http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServerConnection.m?rev=40487&r1=40486&r2=40487&view=diff ============================================================================== --- libs/webserver/trunk/WebServerConnection.m (original) +++ libs/webserver/trunk/WebServerConnection.m Wed Apr 19 14:20:03 2017 @@ -1098,6 +1098,12 @@ value: value parameters: nil]; } + if (nil != conf->frameOptions) + { + [response setHeader: @"X-Frame-Options" + value: conf->frameOptions + parameters: nil]; + } } return response; } _______________________________________________ Gnustep-cvs mailing list Gnustep-cvs@gna.org https://mail.gna.org/listinfo/gnustep-cvs