[Gnustep-cvs] r40487 - in /libs/webserver/trunk: ChangeLog Internal.h WebServer.h WebServer.m WebServerConnection.m

Wed, 19 Apr 2017 05:20:16 -0700 

Author: rfm
Date: Wed Apr 19 14:20:03 2017
New Revision: 40487

URL: http://svn.gna.org/viewcvs/gnustep?rev=40487&view=rev
Log:
Add WebServerFrameOptions

Modified:
    libs/webserver/trunk/ChangeLog
    libs/webserver/trunk/Internal.h
    libs/webserver/trunk/WebServer.h
    libs/webserver/trunk/WebServer.m
    libs/webserver/trunk/WebServerConnection.m

Modified: libs/webserver/trunk/ChangeLog
URL: 
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/ChangeLog?rev=40487&r1=40486&r2=40487&view=diff
==============================================================================
--- libs/webserver/trunk/ChangeLog      (original)
+++ libs/webserver/trunk/ChangeLog      Wed Apr 19 14:20:03 2017
@@ -1,3 +1,8 @@
+2017-04-19 Richard Frith-Macdonald  <[email protected]>
+
+       New WebServerFrameOptions user default (DENY if not set) to sert a
+       default X-Frame-Options header value for use by all responses.
+
 2016-10-28  Wolfgang Lux  <[email protected]>
 
        * WebServerBundles.m (-dealloc): Unregister from notification

Modified: libs/webserver/trunk/Internal.h
URL: 
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/Internal.h?rev=40487&r1=40486&r2=40487&view=diff
==============================================================================
--- libs/webserver/trunk/Internal.h     (original)
+++ libs/webserver/trunk/Internal.h     Wed Apr 19 14:20:03 2017
@@ -100,6 +100,7 @@
   NSUInteger           maxConnectionRequests;
   NSTimeInterval       maxConnectionDuration;
   NSSet                        *permittedMethods;
+  NSString              *frameOptions;
 }
 @end
 

Modified: libs/webserver/trunk/WebServer.h
URL: 
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.h?rev=40487&r1=40486&r2=40487&view=diff
==============================================================================
--- libs/webserver/trunk/WebServer.h    (original)
+++ libs/webserver/trunk/WebServer.h    Wed Apr 19 14:20:03 2017
@@ -364,6 +364,14 @@
  * class recognises the following defaults keys -
  * </p>
  * <deflist>
+ *   <term>WebServerFrameOptions</term>
+ *   <desc>A string defining the frame options setting for responses produced
+ *   by the server (application code can always override this).<br />
+ *   If this is not defined, the value <code>DENY</code> is used to prevent
+ *   responses from being presented inside frames.<br />
+ *   If this is defined as an empty string, no X-Frame-Options header is set
+ *   (unless application code explicitly sets the header in the response).
+ *   </desc>
  *   <term>WebServerHosts</term>
  *   <desc>An array of host IP addresses to list the hosts permitted to
  *   send requests to the server.  If defined, requests from other hosts
@@ -441,6 +449,7 @@
   NSLock                *_incrementalDataLock;
   NSMutableDictionary   *_incrementalDataMap;
   NSUInteger            _strictTransportSecurity;
+  NSString              *_frameOptions;
   void                 *_reserved;
 }
 

Modified: libs/webserver/trunk/WebServer.m
URL: 
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServer.m?rev=40487&r1=40486&r2=40487&view=diff
==============================================================================
--- libs/webserver/trunk/WebServer.m    (original)
+++ libs/webserver/trunk/WebServer.m    Wed Apr 19 14:20:03 2017
@@ -2615,6 +2615,8 @@
 
 - (void) _setup
 {
+  NSString      *s;
+
   _reserved = 0;
   _nc = [[NSNotificationCenter defaultCenter] retain];
   _connectionTimeout = 30.0;
@@ -2634,6 +2636,14 @@
   _conf->maxConnectionDuration = 10.0;
   _conf->maxBodySize = 4*1024*1024;
   _conf->maxRequestSize = 8*1024;
+  if (nil == (s = [_defs stringForKey: @"WebServerFrameOptions"]))
+    {
+      _conf->frameOptions = @"DENY";
+    }
+  else if ([s length] > 0)
+    {
+      _conf->frameOptions = [s copy];
+    }
   _maxPerHost = 32;
   _maxConnections = 128;
   _substitutionLimit = 4;
@@ -2700,6 +2710,7 @@
 - (void) dealloc
 {
   [permittedMethods release];
+  [frameOptions release];
   [super dealloc];
 }
 @end

Modified: libs/webserver/trunk/WebServerConnection.m
URL: 
http://svn.gna.org/viewcvs/gnustep/libs/webserver/trunk/WebServerConnection.m?rev=40487&r1=40486&r2=40487&view=diff
==============================================================================
--- libs/webserver/trunk/WebServerConnection.m  (original)
+++ libs/webserver/trunk/WebServerConnection.m  Wed Apr 19 14:20:03 2017
@@ -1098,6 +1098,12 @@
                         value: value
                    parameters: nil];
         }
+      if (nil != conf->frameOptions)
+        {
+         [response setHeader: @"X-Frame-Options"
+                        value: conf->frameOptions
+                   parameters: nil];
+        }
     }
   return response;
 }


_______________________________________________
Gnustep-cvs mailing list
[email protected]
https://mail.gna.org/listinfo/gnustep-cvs

Reply via email to