launchpad-reviewers team mailing list archive

Thread
Date

[Merge] lp:~cjwatson/launchpad/more-framing-protection into lp:launchpad

To: mp+372613@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Wed, 11 Sep 2019 14:17:24 -0000
Reply-to: mp+372613@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging lp:~cjwatson/launchpad/more-framing-protection into lp:launchpad.

Commit message:
Set "Content-Security-Policy: frame-ancestors 'self';" as well as "X-Frame-Options: SAMEORIGIN", for improved browser compatibility.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/more-framing-protection/+merge/372613

Edge apparently doesn't support X-Frame-Options, but does support CSP: frame-ancestors.

Spotted by researchers from Stony Brook University, Universita Ca Foscari Venezia, and the CISPA Helmholtz Center for Information Security.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/more-framing-protection into lp:launchpad.

=== modified file 'lib/lp/services/webapp/servers.py'
--- lib/lp/services/webapp/servers.py	2019-05-22 14:57:45 +0000
+++ lib/lp/services/webapp/servers.py	2019-09-11 14:17:07 +0000
@@ -604,6 +604,8 @@
         self.response.setHeader('Vary', 'Cookie, Authorization')
 
         # Prevent clickjacking and content sniffing attacks.
+        self.response.setHeader(
+            'Content-Security-Policy', "frame-ancestors 'self';")
         self.response.setHeader('X-Frame-Options', 'SAMEORIGIN')
         self.response.setHeader('X-Content-Type-Options', 'nosniff')
         self.response.setHeader('X-XSS-Protection', '1; mode=block')

=== modified file 'lib/lp/services/webapp/tests/test_servers.py'
--- lib/lp/services/webapp/tests/test_servers.py	2019-05-22 14:57:45 +0000
+++ lib/lp/services/webapp/tests/test_servers.py	2019-09-11 14:17:07 +0000
@@ -400,6 +400,9 @@
     def test_baserequest_security_headers(self):
         response = LaunchpadBrowserRequest(StringIO.StringIO(''), {}).response
         self.assertEqual(
+            response.getHeader('Content-Security-Policy'),
+            "frame-ancestors 'self';")
+        self.assertEqual(
             response.getHeader('X-Frame-Options'), 'SAMEORIGIN')
         self.assertEqual(
             response.getHeader('X-Content-Type-Options'), 'nosniff')

Follow ups

[Merge] lp:~cjwatson/launchpad/more-framing-protection into lp:launchpad
From: noreply, 2019-09-16
Re: [Merge] lp:~cjwatson/launchpad/more-framing-protection into lp:launchpad
From: Simon Davy, 2019-09-16