[FIX] web: no frames on login/preferences screen

We generally consider this a low priority issue as it is social-engineering based and many easier options exist for targeting gullible users. Nevertheless, protecting a couple of obvious pages does not hurt.

[FIX] web: no frames on login/preferences screen
6d16915d · Olivier Dony · 4d7d234e · 6d16915d · 6d16915d · 6d16915d
Unverified Commit 6d16915d authored 8 years ago by Olivier Dony
--- a/addons/auth_signup/controllers/main.py
+++ b/addons/auth_signup/controllers/main.py
@@ -65,7 +65,9 @@ class AuthSignupHome(Home):
            except Exception, e:
                qcontext['error'] = e.message or e.name

-        return request.render('auth_signup.reset_password', qcontext)
+        response = request.render('auth_signup.reset_password', qcontext)
+        response.headers['X-Frame-Options'] = 'DENY'
+        return response

    def get_auth_signup_config(self):
        """retrieve the module config (which features are enabled) for the login page"""

--- a/addons/web/controllers/main.py
+++ b/addons/web/controllers/main.py
@@ -440,7 +440,9 @@ class Home(http.Controller):
        request.uid = request.session.uid
        context = request.env['ir.http'].webclient_rendering_context()

-        return request.render('web.webclient_bootstrap', qcontext=context)
+        response = request.render('web.webclient_bootstrap', qcontext=context)
+        response.headers['X-Frame-Options'] = 'DENY'
+        return response

    @http.route('/web/dbredirect', type='http', auth="none")
    def web_db_redirect(self, redirect='/', **kw):
@@ -473,7 +475,9 @@ class Home(http.Controller):
                return http.redirect_with_hash(redirect)
            request.uid = old_uid
            values['error'] = _("Wrong login/password")
-        return request.render('web.login', values)
+        response = request.render('web.login', values)
+        response.headers['X-Frame-Options'] = 'DENY'
+        return response


 class WebClient(http.Controller):

--- a/addons/website_portal/controllers/main.py
+++ b/addons/website_portal/controllers/main.py
@@ -89,7 +89,9 @@ class website_account(http.Controller):
            'redirect': redirect,
        })

-        return request.render("website_portal.details", values)
+        response = request.render("website_portal.details", values)
+        response.headers['X-Frame-Options'] = 'DENY'
+        return response

    def details_form_validate(self, data):
        error = dict()