diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 51f8b539a..9c90639cb 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -148,6 +148,7 @@ public class I2PSnarkServlet extends DefaultServlet {
_imgPath = _themePath + "images/";
// this is the part after /i2psnark
String path = req.getServletPath();
+ resp.setHeader("X-Frame-Options", "SAMEORIGIN");
// AJAX for mainsection
if ("/.ajax/xhr1.html".equals(path)) {
diff --git a/apps/i2ptunnel/jsp/edit.jsp b/apps/i2ptunnel/jsp/edit.jsp
index 236e600f0..c61d4de71 100644
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@@ -1,6 +1,8 @@
<%
// NOTE: Do the header carefully so there is no whitespace before the <%@page pageEncoding="UTF-8"
%><%@page trimDirectiveWhitespaces="true"
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
diff --git a/apps/i2ptunnel/jsp/index.jsp b/apps/i2ptunnel/jsp/index.jsp
index 3f31bdd05..41adffc7a 100644
--- a/apps/i2ptunnel/jsp/index.jsp
+++ b/apps/i2ptunnel/jsp/index.jsp
@@ -5,6 +5,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%><%@page pageEncoding="UTF-8"
%><%@page trimDirectiveWhitespaces="true"
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.IndexBean"
diff --git a/apps/i2ptunnel/jsp/wizard.jsp b/apps/i2ptunnel/jsp/wizard.jsp
index 1e8a8e1a4..d9aeb3873 100644
--- a/apps/i2ptunnel/jsp/wizard.jsp
+++ b/apps/i2ptunnel/jsp/wizard.jsp
@@ -5,6 +5,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%><%@page pageEncoding="UTF-8"
%><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
%>
diff --git a/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java b/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
index dc95bf6d1..3dd724b08 100644
--- a/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
@@ -19,6 +19,7 @@ public class CSSHelper extends HelperBase {
private static final String FORCE = "classic";
public static final String PROP_REFRESH = "routerconsole.summaryRefresh";
public static final String DEFAULT_REFRESH = "60";
+ private static final String PROP_XFRAME = "routerconsole.disableXFrame";
public String getTheme(String userAgent) {
String url = BASE_THEME_PATH;
@@ -58,6 +59,15 @@ public class CSSHelper extends HelperBase {
NewsFetcher.getInstance(_context).showNews(val.equals("1"));
}
+ /**
+ * Should we send X_Frame_Options=SAMEORIGIN
+ * Default true
+ * @since 0.9.1
+ */
+ public boolean shouldSendXFrame() {
+ return !_context.getBooleanProperty(PROP_XFRAME);
+ }
+
/** change refresh and save it */
public void setRefresh(String r) {
_context.router().saveConfig(PROP_REFRESH, r);
diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index 767d0d071..434b67cae 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -29,6 +29,10 @@
" />
<%
+ // clickjacking
+ if (intl.shouldSendXFrame())
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
String conNonceParam = request.getParameter("consoleNonce");
if (conNonceParam != null && conNonceParam.equals(System.getProperty("router.consoleNonce"))) {
intl.setLang(request.getParameter("lang"));
diff --git a/apps/susidns/src/jsp/addressbook.jsp b/apps/susidns/src/jsp/addressbook.jsp
index 3dd298a7f..fe9666473 100644
--- a/apps/susidns/src/jsp/addressbook.jsp
+++ b/apps/susidns/src/jsp/addressbook.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/config.jsp b/apps/susidns/src/jsp/config.jsp
index 2f4e2a79d..a39b52602 100644
--- a/apps/susidns/src/jsp/config.jsp
+++ b/apps/susidns/src/jsp/config.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/details.jsp b/apps/susidns/src/jsp/details.jsp
index c3f12821f..3c67305e1 100644
--- a/apps/susidns/src/jsp/details.jsp
+++ b/apps/susidns/src/jsp/details.jsp
@@ -24,6 +24,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/index.jsp b/apps/susidns/src/jsp/index.jsp
index 1cb170d9d..97b3c920b 100644
--- a/apps/susidns/src/jsp/index.jsp
+++ b/apps/susidns/src/jsp/index.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susidns/src/jsp/subscriptions.jsp b/apps/susidns/src/jsp/subscriptions.jsp
index 30a15b7db..f7b6fa035 100644
--- a/apps/susidns/src/jsp/subscriptions.jsp
+++ b/apps/susidns/src/jsp/subscriptions.jsp
@@ -27,6 +27,8 @@
if (request.getCharacterEncoding() == null)
request.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
%>
<%@page pageEncoding="UTF-8"%>
<%@page trimDirectiveWhitespaces="true"%>
diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
index b7b7c8669..3f73b6533 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@@ -1185,6 +1185,7 @@ public class WebMail extends HttpServlet
{
httpRequest.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
+ response.setHeader("X-Frame-Options", "SAMEORIGIN");
RequestWrapper request = new RequestWrapper( httpRequest );
SessionObject sessionObject = null;
diff --git a/history.txt b/history.txt
index 35f398111..af1ec21bf 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,7 @@
+2012-05-13 zzz
+ * Console: Add X-Frame-Options to headers,
+ disable with routerconsole.disableXFrame=true
+
* 2012-05-02 0.9 released
2012-04-26 kytv
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index a411b0099..87e5bffca 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
- public final static long BUILD = 0;
+ public final static long BUILD = 1;
/** for example "-test" */
public final static String EXTRA = "";