Remove obsolete dapps and update security headers (#2694)

* Embed allowed only on signer port * Adding security headers to dapps * Adding security headers to signer * Removing old dapps
2016-10-19 11:02:21 +02:00
parent 487dfb0208
commit 5e67c89b4b
18 changed files with 123 additions and 93 deletions
--- a/dapps/src/handlers/mod.rs
+++ b/dapps/src/handlers/mod.rs
@@ -31,6 +31,24 @@ pub use self::fetch::{ContentFetcherHandler, ContentValidator, FetchControl};
 use url::Url;
 use hyper::{server, header, net, uri};

+/// Adds security-related headers to the Response.
+pub fn add_security_headers(headers: &mut header::Headers, embeddable_at: Option<u16>) {
+	headers.set_raw("X-XSS-Protection", vec![b"1; mode=block".to_vec()]);
+	headers.set_raw("X-Content-Type-Options", vec![b"nosniff".to_vec()]);
+
+	// Embedding header:
+	if let Some(port) = embeddable_at {
+		headers.set_raw(
+			"X-Frame-Options",
+			vec![format!("ALLOW-FROM http://127.0.0.1:{}", port).into_bytes()]
+			);
+	} else {
+		// TODO [ToDr] Should we be more strict here (DENY?)?
+		headers.set_raw("X-Frame-Options",  vec![b"SAMEORIGIN".to_vec()]);
+	}
+}
+
+/// Extracts URL part from the Request.
 pub fn extract_url(req: &server::Request<net::HttpStream>) -> Option<Url> {
 	match *req.uri() {
 		uri::RequestUri::AbsoluteUri(ref url) => {