Forum OpenACS Q&A: Where to add X-Frame-Options headers?
I'm running an older version of OpenACS but hopefully someone will be able to give me a pointer about this. We have a requirement to add an X-Frame-Options header to all response headers (see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet ).
I have modified the rp_handler proc in acs-tcl/tcl/request-processor-procs.tcl by adding the following line at the start of the proc:
ns_set put [ns_conn outputheaders] X-Frame-Options SAMEORIGIN
Using Firebug in Firefox to inspect, I can see the X-Frame-Options headers are correctly output in 99% of cases. However there are a few files (JS and CSS files mainly) that still don't output the X-Frame-Options header.
all the best
I should have mentioned that we still use AOLserver, so I believe the extraheaders is unfortunately not available to us.
Is there another solution?
What version of OpenACS are you using?
I also have the same problem trying to configure X-Frame options.
I am using an ancient and heavily modified version. However I did manage to get it working by adding those changes to packages/acs-tcl/tcl/request-processor-procs.tcl
I was able to make it work by adding them to procedure rp_filter also in packages/acs-tcl/tcl/request-processor-procs.tcl.
Will just have to run some tests to make sure nothing is broken.
Thanks a lot!