Hi all
I'm running an older version of OpenACS but hopefully someone will be able to give me a pointer about this. We have a requirement to add an X-Frame-Options header to all response headers (see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet ).
I have modified the rp_handler proc in acs-tcl/tcl/request-processor-procs.tcl by adding the following line at the start of the proc:
ns_set put [ns_conn outputheaders] X-Frame-Options SAMEORIGIN
Using Firebug in Firefox to inspect, I can see the X-Frame-Options headers are correctly output in 99% of cases. However there are a few files (JS and CSS files mainly) that still don't output the X-Frame-Options header.
My current working theory on this (not confirmed) is that these files get sourced directly in the ADP using 'script src=' and 'link rel="stylesheet"' HTML tags, whereas the ones that correctly have the headers are sourced using the template::head::add_javascript and template::head::add_css procs. However, I would still have thought that the request processor would have handled the delivery of these files.
Any suggestions?
thanks
Brian