Juju Charms Collection
juju-gui package

Code review comment for lp://staging/~frankban/charms/precise/juju-gui/clickjacking

Revision history for this message

Francesco Banconi (frankban) wrote on 2014-04-18:

*** Submitted:

Avoid clickjacking.

Update the builtin and legacy servers to send
the proper X-Frame-Options header so that
iframing is denied from extraneous origins.

The legacy server has been update to ensure
clickjacking is not possible on jujucharms.com.

Tests: `make unittest`.

QA:
- juju bootstrap an environment;
- run `make deploy`;
- wait for the GUI to be ready/started;
- open the GUI with the browser and log in;
- prepare an HTML page like the following, replacing
<GUI UNIT HOSTNAME> with the address of the GUI in
your environment:

<!DOCTYPE html>
<html>
<head>
<title>test clickjacking</title>
</head>
<body>
<iframe src="https://<GUI UNIT HOSTNAME>"
height="800" width="1000"></iframe>
</body>
</html>

- open the test page above with the browser,
   the iframe should be empty;
- switch to the legacy server:
   `juju set juju-gui builtin-server=false`;
- wait a minute for the config-changed hook
   to complete;
- open the test page above with the browser,
   the iframe should be empty;
- destroy the environment.

R=jeff.pihach
CC=
https://codereview.appspot.com/88090048

https://codereview.appspot.com/88090048/

« Back to merge proposal

Juju Charms Collectionjuju-gui package

Code review comment for lp://staging/~frankban/charms/precise/juju-gui/clickjacking

Juju Charms Collection
juju-gui package