Forum OpenACS Q&A: Where to add X-Frame-Options headers?

I'm running an older version of OpenACS but hopefully someone will be able to give me a pointer about this. We have a requirement to add an X-Frame-Options header to all response headers (see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet ).

I have modified the rp_handler proc in acs-tcl/tcl/request-processor-procs.tcl by adding the following line at the start of the proc:

ns_set put [ns_conn outputheaders] X-Frame-Options SAMEORIGIN

Using Firebug in Firefox to inspect, I can see the X-Frame-Options headers are correctly output in 99% of cases. However there are a few files (JS and CSS files mainly) that still don't output the X-Frame-Options header.

My current working theory on this (not confirmed) is that these files get sourced directly in the ADP using 'script src=' and 'link rel="stylesheet"' HTML tags, whereas the ones that correctly have the headers are sourced using the template::head::add_javascript and template::head::add_css procs. However, I would still have thought that the request processor would have handled the delivery of these files.

Any suggestions?

thanks
Brian

I should have mentioned that we still use AOLserver, so I believe the extraheaders is unfortunately not available to us.

Is there another solution?

thanks
Brian

What version of OpenACS are you using?
I also have the same problem trying to configure X-Frame options.

Thanks,

I was able to make it work by adding them to procedure rp_filter also in packages/acs-tcl/tcl/request-processor-procs.tcl.

Will just have to run some tests to make sure nothing is broken.

Thanks a lot!