WebAppSec/MozSecureWorld: Difference between revisions

WebAppSec/MozSecureWorld (view source)

Revision as of 19:22, 22 June 2011

1,575 bytes removed , 22 June 2011

→‎Cross Domain Controls

Haoqili

67

edits

@@ Line 47: / Line 47: @@
 === Cross Domain Controls ===
 * X-frame-options in header options
-==== Where playdoh set x-frame-option to "deny" ====
-It's in ''vendor/src/commonware/commonware/response/middleware.py''
-<pre>
-from django.conf import settings
-class FrameOptionsHeader(object):
-    """
-    Set an X-Frame-Options header. Default to DENY. Set
-    response['x-frame-options'] = 'SAMEORIGIN'
-    to override.
-    """
-    def process_response(self, request, response):
-        if hasattr(response, 'no_frame_options'):
-            return response
-        if not 'x-frame-options' in response:
-            response['x-frame-options'] = 'DENY'
-</pre>
-Also see ''vendor/src/commonware/commonware/response/decorators.py''
-<pre>
-from functools import wraps
-from django.utils.decorators import available_attrs
-def xframe_sameorigin(view_fn):
-    @wraps(view_fn, assigned=available_attrs(view_fn))
-    def _wrapped_view(request, *args, **kwargs):
-        response = view_fn(request, *args, **kwargs)
-        response['x-frame-options'] = 'SAMEORIGIN'
-        return response
-    return _wrapped_view
-def xframe_allow(view_fn):
-    @wraps(view_fn, assigned=available_attrs(view_fn))
-    def _wrapped_view(request, *args, **kwargs):
-        response = view_fn(request, *args, **kwargs)
-        response.no_frame_options = True
-        return response
-    return _wrapped_view
-def xframe_deny(view_fn):
-    @wraps(view_fn, assigned=available_attrs(view_fn))
-    def _wrapped_view(request, *args, **kwargs):
-        response = view_fn(request, *args, **kwargs)
-        response['x-frame-options'] = 'DENY'
-        return response
-    return _wrapped_view
-</pre>
 === Cookie Protection ===